MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37812e3e7309cc0348c77208870cbeb44636a785dec26241fc6e392905edf91e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37812e3e7309cc0348c77208870cbeb44636a785dec26241fc6e392905edf91e
SHA3-384 hash: fb78bc9fe78ccee7aa8c523e95b416692b4cbd47623fb4fa96af95daaef3a684f7965bcb029912626121675ebbf936b9
SHA1 hash: ca5b19498a34ecbd3bbb6c4cce1815c54a5beb58
MD5 hash: 603c057f5be38f515f37db8fddf0e218
humanhash: beer-lactose-july-mississippi
File name:RFQPO700125210.bat
Download: download sample
Signature FormBook
Create hunting rule
File size:396'800 bytes
First seen:2020-05-26 08:11:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:nwuKvDgEEX5Psp7M19w28HSv06Vxyb819n5TkvRWTm:Obz2U7M1ag
Threatray 5'304 similar samples on MalwareBazaar
TLSH BE849D9C3250B6DFC827C976DAA46C60EB61B47B430BD343A45316ADAA0D69BCF114F3
Reporter abuse_ch
Tags:bat FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: ip-143-95-1-123.iplocal
Sending IP: 65.75.147.183
From: Qatalum Services LLC <info@qatalum.com>
Subject: Qatalum RFQ PO700125210 Supply
Attachment: RFQPO700125210.r15 (contains "RFQPO700125210.bat")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis603C057F5BE3.1284.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 08:40:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0e319c36c39c8504a0349445b2282bc450758b7e670a3477c0653b1daafffaff
FormBook
308336495b7fa2af7107a520ec1fdcaac4a0d615e0ecfd8ddd6090c72c3f46b6
FormBook
3b7dc89103d8c49eea88bd302c37e6b9c1f1ae13bdd38c9ff9709568b9f56e3b
FormBook
42895dc552049d3cfd80ced83d8e2fbfc30adc3799e3748aa5f9e7df32373a58
FormBook
4d4f1920e857285f7bb60473910ffabdd1cbbbb9140be18af0f226a247159546
FormBook
9ebbeaf380d12e97972f57de2e052f1e043370d0be0bcd0deb3ebc5334cc68a2
FormBook
a34a05f4fba031be97dcc4bb04e0e45a75d1034cd2d32177b26a65de7a1306a0
FormBook
a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3
FormBook
da6fd7aeb4a04410109f9f170589fe5262a1922a7dabc5b7b26e0af00dcdaba3
FormBook
f6557b3412ca78e87ff38632aaf24732b74da646678fd6ea5f01134bb498fd14
FormBook
+ 5'294 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook coreentity rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-rse15nm3pe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
rezer0
CoreEntity .NET Packer
Formbook
Malware Config
C2 Extraction:
http://www.regulars5.com/jac0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 2bd3137ba447db9c1085add374876ea4a034d6fcfbe0108038ab04ad60614b76

FormBook

Executable exe 37812e3e7309cc0348c77208870cbeb44636a785dec26241fc6e392905edf91e

(this sample)

  
Dropped by
MD5 41ac3d6847c1e80bda7beb56e276cd34
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2bd3137ba447db9c1085add374876ea4a034d6fcfbe0108038ab04ad60614b76

Comments