MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 568a6bfbf5ce68d84fba719dcbee920751fb52b24890c6a9f6258aa670026d07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	568a6bfbf5ce68d84fba719dcbee920751fb52b24890c6a9f6258aa670026d07
SHA3-384 hash:	ff2057e78e830f0bea1686f790c9e73692622e29deb831e35610aa46bd3acc0c5a3e2aea4462b5ff28dd84b58db16049
SHA1 hash:	066e6311f3ae3c133e4dd6fe5b5b74e0dd8bc0fe
MD5 hash:	eff8d83878a21a67564864f6a4da8f66
humanhash:	sink-oven-yellow-uniform
File name:	eff8d83878a21a67564864f6a4da8f66.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	576'512 bytes
First seen:	2020-05-18 08:16:33 UTC
Last seen:	2020-05-18 09:20:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:8s+0QEvd6YbbcrMYm8I7rm6tZp3infs+bm8k8y+rwzTn:8svvd6nMjxZ
Threatray	5'305 similar samples on MalwareBazaar
TLSH	C5C418997670FDAFC5A7D87B89543C24AE1C6CA64B1BF103A0173198ED7E997CE040E2
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

94

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.21537.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-18 08:35:59 UTC

File Type:

PE (.Net Exe)

Extracted files:

46

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k2fgx67vzzunqt52ogo4x3usa5i7wuvsjcimnkpwewfkm4acnudq._file

Verdict:

malicious

Similar samples:

043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42

0a569518c639a3016fb301034043c0f1536cecd205196f0c1321c77ea0e941e2

150bca9ea5a4c5835f0e665b2db300d12a741b3a452c74678be7d0ee8236668f

19e839e299b4a6f1ddbfb8f1adae91011b0cd40d9d095b5de75004becd7a364c

223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a

3fbaa0ca4cd86fb032909b6ba6530930b0ad14aa4fd39b5059380f51c31c3808

5b6b8e78568b828610d9d85128e14e34938614f7fc2885569995834678da14b2

76333652b5c82499dde362e8892ff2316a455ee5118f6127d6462ec3654cd544

c97caa35170c05c95c5b92a03068cfa944ad0d629fdd23d1fd11f7af4d5da095

e64a40c05ac395f8751ac149772087476c75ae46a7e7831fbd00b20fd3edcf99

+ 5'295 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-akhera67q6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.howndey.com/xd4/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 568a6bfbf5ce68d84fba719dcbee920751fb52b24890c6a9f6258aa670026d07

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample