MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 575cd2d06aa99a48ed59b412bb87aba3b3e3cd66093c7f9efd118bf533032ba3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 575cd2d06aa99a48ed59b412bb87aba3b3e3cd66093c7f9efd118bf533032ba3
SHA3-384 hash: d386274ae7667fc8abda7d3be36bdb8f78955d48d4e15756ca4c4865744c8130e59db1438786bc0cd2699a221916e32f
SHA1 hash: 0257125b4e77f3dffeb21709a39668115015c0b8
MD5 hash: 00d7241de149d6511579e6d5ad7974ec
humanhash: blue-chicken-dakota-colorado
File name:Purchase Order.pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:394'752 bytes
First seen:2020-05-26 10:14:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:CXhRAtLLSPuwTL0fJ6KlwrSjL820csqJfZ:08tLOPV3W
Threatray 5'105 similar samples on MalwareBazaar
TLSH 69849D9C365475EFC81BC976DA982C60AA60B87B570BD343A05316ED9E0D6ABCF101F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: Rakzan.com
Sending IP: 78.46.63.69
From: Rakzan Ortis(Gr) <sales@Rakzan.com>
Reply-To: samiraabadi047@gmail.com
Subject: Dear 200nianren Attention needed as per Order
Attachment: Purchase Order.pdf.zip (contains "Purchase Order.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.fc.5489.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 08:02:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0951d8c7c31922177bfac1849388cf7e947d6e51ccbf936c7edd1e6d7c44da9d
FormBook
54afdaff6d05973b7c58978614f80dac9060bca2ef2f0e1835fa05b80e3da626
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112
FormBook
dea5303370177b621cdd1fd497396ddaa9e94d3edd1407339f52f0dc85a67046
FormBook
df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e
FormBook
+ 5'095 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-qn32ppxxae/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.com/4vx/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 4c004822cd78deb55cf3ed841a087538288bb3ec95558ef0e2b5d644c98613b1

FormBook

Executable exe 575cd2d06aa99a48ed59b412bb87aba3b3e3cd66093c7f9efd118bf533032ba3

(this sample)

  
Dropped by
MD5 0a20f8f392937693b8b163fc958b7cbf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4c004822cd78deb55cf3ed841a087538288bb3ec95558ef0e2b5d644c98613b1

Comments