MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3906afd9e6d7463f7d0886a54417f1c976bf647d96912340187a5851eaede2eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	3906afd9e6d7463f7d0886a54417f1c976bf647d96912340187a5851eaede2eb
SHA3-384 hash:	28feeec66c8826e606b13525e3a3e9bbc6bac1ccce95ae4b30bd94b8ae93e64c3979d3871b1f2eb971d1988083601527
SHA1 hash:	f0282844e580fba534b11afce612288eed8c0272
MD5 hash:	31e2e0e7ff95d2aeeef0b34e588a7c89
humanhash:	alabama-eleven-purple-ink
File name:	Factory - USPL.doc.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	1'203'712 bytes
First seen:	2020-03-19 06:02:43 UTC
Last seen:	2020-03-19 07:42:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:+XVpmPIXFpp+7OmJ9j1WVMAXVpmPIXFpG5AZ:2VgPIXF89wlVgPIXF8I
Threatray	4'919 similar samples on MalwareBazaar
TLSH	2C45E1C41315BB5BC7E991FBC4A403B833E5C68FD506E685D618E695081B31F8AAFE83
Reporter	jarumlus
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/5326/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.22021.29032.3278.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-03-18 20:37:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

37 of 48 (77.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hedk7wpg25dd67iiq2suif7rzf3l6zd5s2isgqaypjmfd2xn4lvq._file

Verdict:

malicious

FormBook

688bbbec6580aef53228d5fa7a1ea910084cfdde7e1e6a580cfac50f1327a154

FormBook

730fd544eac15f337f3d2acfd6473f2ab1d8037da100855ca93cdc88f9edf681

FormBook

7d65c5f831361d3e7441c49dfe9e5a286c1b142fa1315c3460e144b240a2afaa

FormBook

8dedf7b9a9babc72bdd7744a378402556bac9eac95aa519ac26f945b9c7de410

FormBook

9d28d2b3cdf1132a476d9369c8226dd825be71fff0fe59de8eabc8771e4333e7

FormBook

a55e0055555b9fd9a4434bd07b5f9b60b98f5e587b8fccdf4aabe2f55d3290ca

FormBook

b2d60c8915d3180d7416c1c7067bb63b0002145b7dfb0fecfb2899cbabf0c274

FormBook

bb87a6186306d0417e723b3ae04b70193f32d8b5fe479de840ed10f243234c4d

FormBook

ccfb3375ab05225fa22bce51864a9fcdfa3b73d09a207c10a6f60b23dd05661a

FormBook

+ 4'909 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3906afd9e6d7463f7d0886a54417f1c976bf647d96912340187a5851eaede2eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/5326/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample