MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69a951205cf548cd5e5f086531d65a20918ffbfd5adabb79e6834cedcb056627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69a951205cf548cd5e5f086531d65a20918ffbfd5adabb79e6834cedcb056627
SHA3-384 hash: c65fe75efc0eb20d74390577d154c58be2e5d261a5c25676037c5cbab43a5d7d86e96b28cfbadb4bcb21ebefe31fef9c
SHA1 hash: 8cef9a6c3b8ee264e72613fb522c6d42867fcfe7
MD5 hash: 9b7ae237912af6cbf53697410744187e
humanhash: nitrogen-washington-harry-football
File name:18.05.20.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:428'544 bytes
First seen:2020-05-19 06:32:59 UTC
Last seen:2020-05-19 09:45:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:KF63e53HHeUsLitOEJD6Lp9K/qOQ0ebCJJPF8pQ4oU5FaG:KF63eJneVEt6LEqOgbkPFfN
Threatray 5'084 similar samples on MalwareBazaar
TLSH 20948C366542C039C135C272B46D5FCB993D1F1036D58AEEABAE13189F4368E737AA0D
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: vps.brightway919.com
Sending IP: 103.233.0.2
From: Brightway Trading Services <inquiry@bujan.com.ar>
Reply-To: sales@brightway919.com
Subject: REMITTANCE REVIEW FOR X
Attachment: Order19.05.20.doc

FormBook payload URL:
https://brightway919.com/order/18.05.20.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Formbook.27185.15650.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 06:36:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nguvcic46vem2xs7bbstdvs2eciy7675llnlw6pgqngo3syfmytq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
14d8219f46423321040066a71c5871a52c322ebbbf2d8fe364affabcf4b13ca8
Formbook
26ab418898511e23428738e2ffec693856268e683f2db04b9f243420cb40d889
Formbook
469135103d8ac053415dc4598dcbd884f759dc58af50dc9efbe94d2991a133ea
Formbook
5f5789de61eefef45f7dd1027b45d9edf6c5a294bfe66edae961f45f92bd85f3
Formbook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
Formbook
9fba6ffeb90dd242748718d8272a4942496e76a4f68bdb4dd42f93b044b5ed50
Formbook
bcc826091ec71230947aa1916263434935a58ffe5977cf415b1d970633939652
Formbook
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
Formbook
c267fd7890fd729592368cf808c21c4d3ae00e0ff064e4aac48ff475ec739539
Formbook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
Formbook
+ 5'074 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook agilenet rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-srn7wstses/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.regulars5.com/hx345/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Word file doc 9799cf7a91c88619114f936b43a1e9817bb772a0c2963a619b69cf4899e6c5bb

Formbook

Executable exe 69a951205cf548cd5e5f086531d65a20918ffbfd5adabb79e6834cedcb056627

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/364784/
  
Dropped by
MD5 0e57b6c3a8333966a2380715ca317e32
  
Dropped by
SHA256 9799cf7a91c88619114f936b43a1e9817bb772a0c2963a619b69cf4899e6c5bb
  
Delivery method
Distributed via web download

Comments