MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f3cf19b51263af0e6b7e8856a7d635a44dd101e069b84f5ceb11778a81cbf35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f3cf19b51263af0e6b7e8856a7d635a44dd101e069b84f5ceb11778a81cbf35
SHA3-384 hash: 7c326718c717bb75329a6a990418129933294dcbc2f08b0f927df9d65175ccdf111f08d4aaea9a2e66de7ecc99418dd4
SHA1 hash: 128f771b758c032983c8bbbda33a23c27f8e2e56
MD5 hash: abae3f1b96b407b71b01ce7d4481ad93
humanhash: mars-batman-lithium-cup
File name:Invoice (5).exe
Download: download sample
Signature FormBook
Create hunting rule
File size:343'040 bytes
First seen:2020-05-27 08:50:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fd94ccd1dec1c5baf6be7519f2d9282 (8 x Formbook)
ssdeep 6144:EkJSjYID1dX2FJMNJJbZQ3c0riv5Q5Dp/ITGj6aYYvUgXDzdkD:3JYtbmqJJ6M+y5yDFITGj6a/3zzdkD
Threatray 4'915 similar samples on MalwareBazaar
TLSH 7C74BE22BA29053CC93F507879C7CDAACEE75A9364AF9C9AD99CD540C82D7C04C63277
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: postal.zeregabertrading.info
Sending IP: 176.107.177.184
From: edward@zeregabertrading.info
Subject: ORDER27062020
Attachment: PO27062020.rar (contains "Invoice (5).exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Variant.Zusy.304233.30050.1588.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 00:40:41 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
+ 4'905 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-szqebtpz52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok.info/ch09/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 36c6267adcd217dc4d2271e70cf554b4c02cccb92a8b7050c9f6a844fd410b56

FormBook

Executable exe 6f3cf19b51263af0e6b7e8856a7d635a44dd101e069b84f5ceb11778a81cbf35

(this sample)

  
Dropped by
MD5 acd8e67a85ad002dc45d6efcc3d49ccd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 36c6267adcd217dc4d2271e70cf554b4c02cccb92a8b7050c9f6a844fd410b56

Comments