MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568
SHA3-384 hash: d2504af5bcb9628f253a9445f60b5f4fdb4d9af318911af5cde7207e425c5fb39a291ab44f44529f861ffad1a5abf7c4
SHA1 hash: b0e926330b4b67e823c2a12e9b8fa789a1b9291f
MD5 hash: 08b794da39ef13910c12b15e072c1edd
humanhash: blossom-alpha-chicken-fourteen
File name:PO CS009123 R10.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:370'688 bytes
First seen:2020-06-18 06:02:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:SO3uLzHfKwis4qUCJdC8cFd+TPRyQlblF9SMHMc+lTQsJ+NcMunmfUHkY:tuLBY8dC5E4QlxFP7+5QsJ+g+Ek
Threatray 5'192 similar samples on MalwareBazaar
TLSH A474D00976B8DE11F47C7BFAD5E604200F7DAD223612F21E2AF4329D09727E6590279B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: vps.sandrovicari.cc
Sending IP: 45.95.169.67
From: Mohannad A Alzeer <m.alzee@arabianbroz.com>
Subject: Re:Purchase Order
Attachment: PO CS009123 R10.IMG (contains "PO CS009123 R10.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19634/
Detection(s):
SecuriteInfo.com.BehavesLike.Generic.fc.30295.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 06:04:12 UTC
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=icjlb57kcsw5c3tpn42qogyhirmkdhkfkcxvbkao2v2czryemvua._file
Verdict:
malicious
Similar samples:
1397dc48d497802e469f2dc1509622cc2aa0382dfe63011767eef0c5cb24e6af
FormBook
31f02d35e3e941b42298936bd026b39a5d682825bc4b4277945f9f0143617931
FormBook
60b16ec5588cc16f4513cd9c999ec223894cef95f7b48c5b180bfcf3852d1521
FormBook
65cd6807556189c85811f11fb91a981749e7d9760e5a72c0845dd6b8ff93a8f9
FormBook
66812d316b85e20248c4af1f141a372ec1e434d951f7c6fc51402ab23da87845
FormBook
773fbca16ec67d4820654e39aaa65645f8608a8f7186f12b5ed62498ff1334c6
FormBook
89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b
FormBook
8c0b9f69c227d86700be2a4dc67460fa30e46610e444a7dbe143a9bc5bda1297
FormBook
bb0c96dd4021c9d4f7b7f85ce5372ef74f7ba8c1a257d2c152db052020219799
FormBook
e8172cbc3806d750d00a5619e618ffc068b9d8247b5f4da507642e70e32ac3f9
FormBook
+ 5'182 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200624-a5knv3lvqa/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img f02b9aaeb8bb7359fdd8fc85f693292d863a481eea4213e066661a35c52087fe

FormBook

Executable exe 4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568

(this sample)

  
Dropped by
MD5 3a544925245ef4452fbd234d2e2817eb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f02b9aaeb8bb7359fdd8fc85f693292d863a481eea4213e066661a35c52087fe
Cape
Cape
https://www.capesandbox.com/analysis/19634/

Comments