MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c45a4d4ed82e89fc389c64729ef65d08fa313ad92e0818f6c1fa96156d66f4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c45a4d4ed82e89fc389c64729ef65d08fa313ad92e0818f6c1fa96156d66f4e
SHA3-384 hash: f5780a0bff63343d8e4f750d81a270300fb3c2d1edf21114524165ef4536f4e91d767733ac5bf10b479c6cb6970b2edb
SHA1 hash: e5af4842b739d854e771620fca42a357ccb5781b
MD5 hash: ebabed291602498abfacc0fb8df14fd8
humanhash: failed-red-video-bravo
File name:SWIFT COPY.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:343'040 bytes
First seen:2020-05-11 08:55:23 UTC
Last seen:2020-05-11 09:59:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:4g38wqAqfClk3cwaX0il5gtExlFE5aS/XQKVCSyR8WSv9RkVmeTjdPLE44V87csP:jqfClk3cwaX0il5guSg8WSvzkJjdXj78
Threatray 5'210 similar samples on MalwareBazaar
TLSH 14749E1532AD1B7AF4F6ABF52AA4A451D7B1702A3852E7AD4CD115CE81F8F40C8A0F37
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dias.adhoc.gr
Sending IP: 188.40.170.194
From: audit-team@directbiz.com.my <audit-team@directbiz.com.my>
Subject: PAYMENT FOR INVOICE
Attachment: SWIFT COPY.zip (contains "SWIFT COPY.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45506.12838.27907.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 03:37:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrc2jvhnqluj7q4jyzdst33f2ch2ge5nslqidd3md6uwcvwwn5ha._file
Verdict:
malicious
Similar samples:
035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b
FormBook
0cc16629baebcad2253c82ea0625b90df67e4012a56b0bce7b5dea230d6c3d35
FormBook
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
FormBook
1cc899a5fc4a3e7fe1c9d1265b60a4faf51bc1df3e4b25c088979755410fa954
FormBook
28ddf0fa7f44508ea2b7c6f2de45496e5a031aa84d095c0b8c14732173073fc7
FormBook
4b83753be005d3668592559d6fe011fda590558f730140f6c303714ac8fe0d93
FormBook
7d667845924245b2c6acee25a643afab5ad0a822614574c93cbf19ff0bb4f8c4
FormBook
916badee0304605bfd8e43c11179fb975d094226a432eeb28af55dc9be426c24
FormBook
99cd867e1595504f909e1e040664433574b9b3884d21d4e5c1f42fa1f14764e3
FormBook
bfba96f9fe309c54e375e1e1e868aa2a729cbc6989c9494dc4d74628004c3dce
FormBook
+ 5'200 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-pd47bzz7vn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok3.info/ch62/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip cbae65ec8c9cde558101c519c236f47ee2309e582f0d6230d82280c1bec29ff8

FormBook

Executable exe 6c45a4d4ed82e89fc389c64729ef65d08fa313ad92e0818f6c1fa96156d66f4e

(this sample)

  
Dropped by
MD5 cad8eb695a808fc37c607cb4a76af06a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cbae65ec8c9cde558101c519c236f47ee2309e582f0d6230d82280c1bec29ff8

Comments