MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f5789de61eefef45f7dd1027b45d9edf6c5a294bfe66edae961f45f92bd85f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f5789de61eefef45f7dd1027b45d9edf6c5a294bfe66edae961f45f92bd85f3
SHA3-384 hash: 9aa0e6c5763228c57d84ee02f2e3a07f66f9e99dbd7bf3c9fe2d0d5d2e3e9d4addd678ee8a2d9472ea35f07e67449a18
SHA1 hash: 2fb60eead2e3e95e641b37cfe2008eb375ec64c9
MD5 hash: 5f473e79452b073dc1cb2c49c40b662f
humanhash: ten-xray-uranus-lion
File name:cert.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:331'888 bytes
First seen:2020-05-23 12:07:22 UTC
Last seen:2020-05-23 13:13:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:YsLit9epsH8xD3n75QcDzKsUnDf+qM3uHoQLx:+eNdQcHwhM3uI
Threatray 5'077 similar samples on MalwareBazaar
TLSH 51649D263E824438D658C57214B9ACC3AD395B813AD1875F3FAFA3585E03B9E6B34D0D
Reporter abuse_ch
Tags:exe FormBook

Code Signing Certificate

Organisation:Microsoft Corporation
Issuer:Microsoft Code Signing PCA 2010
Algorithm:sha256WithRSAEncryption
Valid from:Mar 4 18:29:29 2020 GMT
Valid to:Mar 3 18:29:29 2021 GMT
Serial number: 330000032548B29D0E7FC5F41F000000000325
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82343FD97F607024D4AB3E86E84DCF894A6CE7C865978DA31A34DB5CA494BC16
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: vps.brightway919.com
Sending IP: 103.233.0.2
From: Brightway Trading Services <inquiry@bujan.com.ar>
Reply-To: sales@brightway919.com
Subject: REMITTANCE REVIEW FOR redacted@threatwave.com
Attachment: PI02843.doc

FormBook payload URL:
http://petrosklad.ru/order/cert.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WAJ.24669.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-23 12:11:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
14d8219f46423321040066a71c5871a52c322ebbbf2d8fe364affabcf4b13ca8
Formbook
26ab418898511e23428738e2ffec693856268e683f2db04b9f243420cb40d889
Formbook
3bd58e3b3fe712e8d7595cfbd576a96251c68a5dac230bd3e778640e8eb817ec
Formbook
469135103d8ac053415dc4598dcbd884f759dc58af50dc9efbe94d2991a133ea
Formbook
69a951205cf548cd5e5f086531d65a20918ffbfd5adabb79e6834cedcb056627
Formbook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
Formbook
c267fd7890fd729592368cf808c21c4d3ae00e0ff064e4aac48ff475ec739539
Formbook
ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8
Formbook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
Formbook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
Formbook
+ 5'067 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook agilenet rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-y6bd3tbvra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.regulars5.com/hx345/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Word file doc c267fd7890fd729592368cf808c21c4d3ae00e0ff064e4aac48ff475ec739539

Formbook

Executable exe 5f5789de61eefef45f7dd1027b45d9edf6c5a294bfe66edae961f45f92bd85f3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/367162/
  
Dropped by
MD5 9ba50a2e02f39dbed2f605a3b58a033c
  
Dropped by
SHA256 c267fd7890fd729592368cf808c21c4d3ae00e0ff064e4aac48ff475ec739539
  
Delivery method
Distributed via web download

Comments