MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 410913abf4e31e757643eef79c7252e4c8b046825de18b2ea121d927e9f592e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 410913abf4e31e757643eef79c7252e4c8b046825de18b2ea121d927e9f592e3
SHA3-384 hash: 488bd192c00e23781f40013b70e6d170dd0d32604ab4d1f82eaa9e2d3ae262e7df11b2829968e3a93c5d341c4ff1ae4b
SHA1 hash: c4e9bfc56f804a4bad3fe3e451e03d015a29080b
MD5 hash: 4d65c7b4321fe50769884e74342a14c0
humanhash: mirror-lactose-orange-beer
File name:Invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:335'360 bytes
First seen:2020-05-19 08:06:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5fad844b2c47cd92aae84559cf2b888 (6 x FormBook)
ssdeep 3072:vpCVtwJoppXBtd53KHZQbYFzhJF14RcBxp7UkVtiv0z4PQ8TvqvXCozOekni1E:8fppXBzYHZQMzzj4RWVV0wpHXDzdki
Threatray 5'126 similar samples on MalwareBazaar
TLSH 50648C22AA5CCEACC53F41767993CD6A8DDD5DF360AF8CA8C178E340C43D681C59A13A
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: db9452k-1.ixlhosting.nl
Sending IP: 5.61.253.39
From: Sharon Hsia<eladio@somers.com>
Reply-To: <stoh@hansollvina.com>
Subject: AW:AW:Profoma
Attachment: Invoice.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Mal.Generic-S.12175.5011.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 00:15:23 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ieerhk7u4mphk5sd533zy4ss4telaruclxqywlvbehmsp2pvslrq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
722c38612f58a2762ae67f38d4342c7aaa59c89c3546cbe0d69f4700b55420fa
FormBook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
c5b06fbd603308f84e5f80396dc5de515ec75a43825732c8a53265add22942c8
FormBook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 5'116 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-6dts5r2zb6/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok.info/mm20/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 410913abf4e31e757643eef79c7252e4c8b046825de18b2ea121d927e9f592e3

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments