MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a7e2e98243c188fbda3734b22856c30febb41d1f7e0ddbc034906288aa72dae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	3a7e2e98243c188fbda3734b22856c30febb41d1f7e0ddbc034906288aa72dae
SHA3-384 hash:	36c9f7fe44f5f9ecffff1f7bc9c7baab1d06cf49381e4e9aa94f799ea986f79026561f3ebf66590f9a40e28f38f38a6c
SHA1 hash:	ad69c5d385a4d7156c8ff3eeb2379739c53ded02
MD5 hash:	7e17022d4cb372a3a853feedcd918d90
humanhash:	louisiana-texas-oklahoma-skylark
File name:	order SEP.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	403'968 bytes
First seen:	2020-06-10 07:44:15 UTC
Last seen:	2020-06-10 09:18:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:hggbb6+QJuMPL1Mmn8Ps1LylCv68+6VBqVa0r0NfzxEZcLBEod:hgS2+Q1Lb8U1L2Cv68+y2
Threatray	4'890 similar samples on MalwareBazaar
TLSH	6E848D893650B29FC82BCD7789982C24AB6074A7531BD343A45716ED9D0DBEBCF106E3
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: server.neileshcorp.solutions
Sending IP: 162.241.215.144
From: Helen He <dinamikakarg@post.com>
Subject: Re: Specification and products
Attachment: order SEP.zip (contains "order SEP.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Mal.Generic-S.1422.22289.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-10 07:46:07 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hj7c5gbehqmi7pndonfsfblmgd7lwqor67qn3padjedcrcvhfwxa._file

Verdict:

malicious

Similar samples:

00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35

1621dac1140afd3e3eed4b0f4ab0a93e81cd56c76e7532a0cc03d0b5a8dae04d

16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e

228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4

54828c080b94bdbf7bc08ff7a3fc69fa5a91d1b067d2997af8ef60c0304b4aed

63b52bedfe18fe9a059dafcf21ed7d2bd58b00e8b4078c98e165c36e3d347b60

9c5d88a1518cd310e763757d9acd267ed5741d6c79036e1053381729a0d700ca

a14dc3eb54f3876b3a2bfc6e0aa105c832fc5424130c43248995cceda6790133

b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663

f3f3cda95f4d655f189381268676beef7ab70ed8355ff178abcad416c71adb22

+ 4'880 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-r19mqcwn1j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

ServiceHost packer

rezer0

Formbook

Malware Config

C2 Extraction:

http://www.tromagy.com/g8u/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 365876fb9df710d6479e62ba3e5d95e524018c5fa0a37ccf9f674ff23dc6fb9d

exe 3a7e2e98243c188fbda3734b22856c30febb41d1f7e0ddbc034906288aa72dae

(this sample)

Dropped by

MD5 b2e898c1a6a1aa5d1e88a6df087b06db

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 365876fb9df710d6479e62ba3e5d95e524018c5fa0a37ccf9f674ff23dc6fb9d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample