MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4af92bdbce17e818adde9230fa30cd889bcb7e8f1a4d26742b5957bf1e8e6301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4af92bdbce17e818adde9230fa30cd889bcb7e8f1a4d26742b5957bf1e8e6301
SHA3-384 hash: f286a2bc0358d669c45f820d1d8985e3443ed42f9e79db937ca49de1b4e4f7a91b536139c4b477a0bb1bd4cf63bd3953
SHA1 hash: 3fd84d0da1777eed6a71e644f20692c159d92122
MD5 hash: d05cbf7faf20f3097b7f0063efcbf9b8
humanhash: jig-hot-one-item
File name:Payment_Advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:601'088 bytes
First seen:2020-08-19 11:29:02 UTC
Last seen:2020-08-19 12:45:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 067ac96964852c4a9f95b61a5d66562c (1 x Formbook)
ssdeep 12288:H/l1dc0+3Sk0C11E/urOBB5khRFUFGS3vMw9c3IwCn:HtlJkuFohRVw9qIwS
Threatray 2'236 similar samples on MalwareBazaar
TLSH 5DD4071CBC81F452F8A940BDBD45C2ED86983231591D05077FE13F2B7DE0AA89EA7E46
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns0.kolsd.xyz
Sending IP: 104.131.97.10
From: Abdul Fakhoury<office@kolsd.xyz>
Reply-To: office@kolsd.xyz
Subject: FW: Your Outward Payment Advice, ACC: 01XXXXX4701 dated 18-Aug-2020
Attachment: Payment_Advice.img (contains "Payment_Advice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48459/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/437710
Signature
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4af92bdbce17e818adde9230fa30cd889bcb7e8f1a4d26742b5957bf1e8e6301/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 16:09:53 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jl4sxw6oc7ubrlo6siypumgnrcn4w7updjgsm5bllfl36huommaq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
trickbot
Create hunting rule
Similar samples:
0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004
Formbook
1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656
Formbook
4077e5eeadfc447b88c36f638c37adc77ee35766a737e4a7aca64e61f2ef3d1a
Formbook
510b24a8ddcc1a99925f07d8ec0b56489930147a95810b787291b3396bd54a7c
Formbook
62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab
Formbook
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
Formbook
9963cb9f95312d222c99fac596b5bf02d81ace63ebde79c37e2312d3e2ecd32f
Formbook
b152c155460d293eee7224b2a49e1121fb19df274c5b2728e9571afaff1845c6
Formbook
bffc9c0c74952c439ca980be37a1f1e21c182b13c992f1a345a541413bfea91a
Formbook
d4224f6f5b734de53a5a7e5f5675b05f9a808deb058e64d00859146f8255594c
Formbook
+ 2'226 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200819-bjmmz9rgb2/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.magentos2.info/mte0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Noon
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4af92bdbce17e818adde9230fa30cd889bcb7e8f1a4d26742b5957bf1e8e6301

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c677926e5bdc0192589e004afcf55425

Formbook

Executable exe 4af92bdbce17e818adde9230fa30cd889bcb7e8f1a4d26742b5957bf1e8e6301

(this sample)

  
Dropped by
MD5 c677926e5bdc0192589e004afcf55425
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48459/

Comments