MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
SHA3-384 hash: 0c538d40231ee5ffe9d1e93107e3f7ac9dd60300d98eb7f6b01c8b9e81d206ad8de3b11a75e1109f625601efbf1b73db
SHA1 hash: c666349ef2d17b180d3121954e658d4df231d9e8
MD5 hash: 962eef4cf460292ecc166f2b2fc98823
humanhash: zulu-aspen-apart-oxygen
File name:Purchase Order List.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:377'344 bytes
First seen:2020-07-01 05:33:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:RtYS9T5QSi7EBPrH6nKVFEoEsBL8ymvCQkK8ROk3oxFH:RtYS9FoEBeaEoEsBVm6u8Ik3MFH
Threatray 5'352 similar samples on MalwareBazaar
TLSH EC84D1B0B255CA9AE8BA97B00C1AD8101FB2B55FA471D30E3D9536AE59F33420177F1B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.linux61.papaki.gr
Sending IP: 138.201.206.39
From: zhou <doris@haruixiang.com>
Subject: Re: Re: Re: Order.
Attachment: Purchase Order List.zip (contains "Purchase Order List.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17567/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 05:35:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhhffo346ulsoxrl5i3zcbfdsjrq5sg4eftzbkiq6rmg5664ut5q._file
Verdict:
malicious
Similar samples:
01563eeff9cd4cb84253c2c9bc40762d118780ab89c6c7b82ce9c9cf0a56a818
FormBook
017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
FormBook
41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab
FormBook
86d0178097eebb5010e24650ce79f80f19567ad2872f0f0b7325761a01cf67f5
FormBook
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
FormBook
91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72
FormBook
a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044
FormBook
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
FormBook
c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde
FormBook
e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
FormBook
+ 5'342 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200701-56zglyhd1a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip b6ca5260fe0d12121268026560ad699cf4f0dadf38b880359a12f283df97fed9

FormBook

Executable exe 61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb

(this sample)

  
Dropped by
MD5 15a68d0277505a388b3ba0e46d37f500
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b6ca5260fe0d12121268026560ad699cf4f0dadf38b880359a12f283df97fed9
Cape
Cape
https://www.capesandbox.com/analysis/17567/

Comments