MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6012fb54cc0a67842710e7189ebfa42c27d30f18a604fbb4122734fb23b7accd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6012fb54cc0a67842710e7189ebfa42c27d30f18a604fbb4122734fb23b7accd
SHA3-384 hash: 5d0c598820dcb6e371287a52b7b2363a015fd1180f1872fdd881eb3cca87dc6fdfec0e755d4724058f2205a5143236aa
SHA1 hash: 306dcfc01101bfdce3d08b7732473acb98b21e09
MD5 hash: 14f9d04f8bb6a284fa3c62cb937b07c9
humanhash: wisconsin-idaho-autumn-avocado
File name:ORDER_89103.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:333'312 bytes
First seen:2020-05-12 09:06:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:L/+NzuHY+fT3pdl7BpKmCdZ1pvt52S911fT50K5B0POJ:LGzuHY6T/BKmQkS911f9/pJ
Threatray 5'192 similar samples on MalwareBazaar
TLSH 0264E12676A8AE03C79E55FFC8D1A90443B1E0975991F3DE2CD260E91EE4BC249C1DCB
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Warren Forsberg <w.forsberg@qualitech-solutions.cam>
Subject: RE: RE: PURCHASE ORDER
Attachment: ORDER_89103.rar (contains "ORDER_89103.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 07:38:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=majpwvgmbjtyijyq44mj5p5efqt5gdyyuycpxnase42pwi5xvtgq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1feab92e184b7440b336c41a703beb4fa4be5cdca014c8b7ac5cfa6b408eb2a7
FormBook
27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662
FormBook
31d1428b910df6a6b0bc62b597f5c4c88514cba2ecd8c8fd28410ab97952b7cc
FormBook
7f30518d5d377a5daabfdf24a509e35c46b04f951500fec7a78e84724c4cdbc4
FormBook
accddeb954844341b87c006344f21c50757cd228d2f071d39e8707209b1a49f9
FormBook
ba9fbfd1eecd1879588201af8b4498bcef57e8950286170dbb0c7c5b7ded6a17
FormBook
ca6c6262134182f4bc6367855eaf6a390bf9f3a1b95e7238f3480dfe8baf50db
FormBook
e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b
FormBook
e75e9eb97fb635737341ed9fcfd25471fdd9889e75305bbb6b32bbee19b32d52
FormBook
f34f4e3d8e9c1ec1d066d75d07f3d93c70931d6a54d736dc12f83b8277db2557
FormBook
+ 5'182 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-h9k473th5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/20w/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 3d4a3d4efe1b11157a55f3342f8620b983b8b01213498551b62b9b6beec6120c

FormBook

Executable exe 6012fb54cc0a67842710e7189ebfa42c27d30f18a604fbb4122734fb23b7accd

(this sample)

  
Dropped by
MD5 09058252ce02651bdf6fac735f9139be
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3d4a3d4efe1b11157a55f3342f8620b983b8b01213498551b62b9b6beec6120c

Comments