MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cd679aa5f3ccf47e45a2600bbaedbbacb5e606035656b03172aed4aebe9973a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cd679aa5f3ccf47e45a2600bbaedbbacb5e606035656b03172aed4aebe9973a
SHA3-384 hash: c0fe466bc687bc1353e74d97cc473aa72e66563d804fc610eac9e89514e4bbb0c7891f6a17edbbd9a2e99046fb0722e3
SHA1 hash: 5d38f12f1b124a454e5a0443c14bdfa8cc1d78f4
MD5 hash: 592b7649c7682c19bfd909b883a72139
humanhash: ohio-vermont-pasta-double
File name:Scan inv17082020.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:196'800 bytes
First seen:2020-08-18 13:29:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:YmjI+Hrjhr1QGlWYJTYGSvdFODXMMY7WESsS2lBZNOhMKvv75MnE+d50e7o8LX4a:YmjI+Hrjhr1QGlWYJTYGSvdFODXMMY7j
Threatray 2'192 similar samples on MalwareBazaar
TLSH 4C14974266407211D5A9317D83E69C5833B8ACFB0AF1980DCF857A9EF9B21E3685C6CD
Reporter abuse_ch
Tags:FormBook scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.africanfitness.pw
Sending IP: 161.129.65.69
From: SALES <citrroen.gouws@gmail.com>
Reply-To: citrroen.gouws@gmail.com
Subject: Request for Quote
Attachment: Scan inv17082020.uue (contains "Scan inv17082020.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47939/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cd679aa5f3ccf47e45a2600bbaedbbacb5e606035656b03172aed4aebe9973a/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 13:31:07 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtlhtks7hthupzc2eyalxlw3xlfv4ydagvswwayxflwuv27js45a._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
017bb0ec25e33f7dbefcac17b8bdfc5ca199579e0d7a14670270eef15ff8abce
Formbook
0e1253abec933b14f592f8ab6fcfaeba8fb3b9d24f9ef2a7021345d2fc738b3f
Formbook
2ea74bf397854358ce0363ce3176f0c0dc40ac0efb6f378422e2d72c8c078372
Formbook
68b06b7a02ddedc6cca5e2c9e2f91fe8374440ad93aa04e40a84cde5a76f8234
Formbook
7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b
Formbook
777d646e09cf725986f3617d40d5bca943d077015759e346e3e8f5314cac13ce
Formbook
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
Formbook
db14f4188f9a9cd454cf4253cefae20a8604499afcaf61e64031f42db6dc8baa
Formbook
f72897f4747769b169b5969fcde3b1b7ec92b79e0fb2e67a9d72650ac14c8d56
Formbook
fad4f5a49b06971b1e9f09356dd43bf47cdeddc1b4af2d6cda4369c73a352cc7
Formbook
+ 2'182 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200818-c4l2jfyylj/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mage-cart.info/d9s8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cd679aa5f3ccf47e45a2600bbaedbbacb5e606035656b03172aed4aebe9973a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

uue 1b2c852bc6c8cc6b893e2a3bc472482b1db253d90da2ba081592038315c6781b

Formbook

Executable exe 4cd679aa5f3ccf47e45a2600bbaedbbacb5e606035656b03172aed4aebe9973a

(this sample)

  
Dropped by
MD5 37c3d2f34f51f57a64f30baa8b6b2cf0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1b2c852bc6c8cc6b893e2a3bc472482b1db253d90da2ba081592038315c6781b
Cape
Cape
https://www.capesandbox.com/analysis/47939/

Comments