MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 440210947a4e6ccdc60e1447ee39bac99cb2e3806b3d5db06d5758cc4ac6cc50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	440210947a4e6ccdc60e1447ee39bac99cb2e3806b3d5db06d5758cc4ac6cc50
SHA3-384 hash:	98ad0b7a4f64f110951b2880b02e94cdd6534ec05631c48abaf4ab638209d883f38005e714f7108e25cb4f3b4935407e
SHA1 hash:	f4b3d37222250fbbe472cb36dd0efab65128b651
MD5 hash:	6e5d56265f88a6e736d94c884d1b9fac
humanhash:	grey-enemy-winner-sad
File name:	Purchase order PO045793 from Voile Trading Co.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	346'112 bytes
First seen:	2020-05-27 06:28:34 UTC
Last seen:	2020-05-27 08:16:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b6d4203453b320f6bfb973eb37ed88ff (3 x FormBook)
ssdeep	6144:JlxSj+pZlSYdaXkFnGb2teLlaMSFLPGH9CUCZ7x6XDzdkD:7xYKLRpy2t0l9SFTU9Cxl6zzdkD
Threatray	4'883 similar samples on MalwareBazaar
TLSH	3574BF22F92C553CD53F62B47EC3CDAA8EEA55E3906F4C56CA9CD201C86C6C09997237
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: regular1.263xmail.com
Sending IP: 211.150.70.198
From: Divine Gutierrez <sales02@ywxspring.com>
Subject: Re:Purchase order PO045793 from Voile Trading Co
Attachment: Purchase order PO045793 from Voile Trading Co.zip (contains "Purchase order PO045793 from Voile Trading Co.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

79

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2020-05-27 06:35:45 UTC

File Type:

PE (Exe)

Extracted files:

7

AV detection:

32 of 48 (66.67%)

Threat level:

2/5

Verdict:

malicious

Label(s):

trickbot

emotet

Similar samples:

16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e

347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32

4bc2794576ebc0396a825e7b5f5fa26303e79972e7a2d68ded5cd68729288107

5962532a97c0efd1227d42aeddeacf09c0f8c8787e476e650d71ceed4ed52d97

8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e

967360ebfc55336f03edccc32869b0e6b65c17e66fcdac083d4bcc185b852c0d

9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838

9c1501fbd2eb669ccbe4a41e37770191e954e6f0dd3e0a954a0670a91df3917c

a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5

ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e

+ 4'873 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-hl7ddwxcdn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Gathers network information

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.chilogae.com/mw9/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip de93b808a41f159ac9e0fc59f0808032d9a101077a2b3402dd768de6f1a49b60

exe 440210947a4e6ccdc60e1447ee39bac99cb2e3806b3d5db06d5758cc4ac6cc50

(this sample)

Dropped by

MD5 3b2c84acc314c4508c43fffa9ab4c662

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 de93b808a41f159ac9e0fc59f0808032d9a101077a2b3402dd768de6f1a49b60

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample