MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7050254375f80a115a4a4a497bd423bcedd3b5bf2dcd8aceca58376cbc6b23a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7050254375f80a115a4a4a497bd423bcedd3b5bf2dcd8aceca58376cbc6b23a2
SHA3-384 hash: 843ccbe3d0bb2ad0b82f79909c3281629f1e5fb68bac791e684dea1c6e54fda9c6aa7ff0ebe07705cec261b47adf38e1
SHA1 hash: d1d5d26b9f599b03a1e1982f2c57114752d70f2a
MD5 hash: ac10041c949e8d23e31e92ea5878808e
humanhash: spaghetti-cat-mockingbird-november
File name:RFQ-GIFI.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:333'312 bytes
First seen:2020-05-19 06:06:34 UTC
Last seen:2020-05-19 07:12:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 25fec3188ac5c27c58ff9b7a5e8a7344 (3 x FormBook)
ssdeep 3072:c4FKyS2JRLzcsnaHq0/rmySRVf1Mox6uW4bmh61Jf88hgKDqvXCozOekn01rDW7:jFPlne/rCVfioxd53E8hvcXDzdk0N
Threatray 2'822 similar samples on MalwareBazaar
TLSH FC649D22A56CCDB9C63F557ABAD2CDA98E8E1CB3106E8C59D138F305C53C6C1C967236
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: yisun.co
Sending IP: 111.90.159.196
From: Janson <janson@gifi.com>
Subject: RE:Quotation price
Attachment: RFQ-GIFI.zip (contains "RFQ-GIFI.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 00:24:04 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=obickq3v7afbcwskjjexxvbdxtw5hnn7fxgyvtwkla3wzpdleora._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
00c47b353869bd10336878ab126ad47ba22f370c1adf89310a589d5a6c14bfe4
FormBook
0951d8c7c31922177bfac1849388cf7e947d6e51ccbf936c7edd1e6d7c44da9d
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
FormBook
7b4dc733949d65f6a058326f41ce6281f9ac85a351c094363394fe95450336d2
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
d2a6e56b5ef7724907cceaf6ceb9da2a31012988169b8612248fd3b299e3d821
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
e8172cbc3806d750d00a5619e618ffc068b9d8247b5f4da507642e70e32ac3f9
FormBook
+ 2'812 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-p4clfhkwka/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.yofdyk.com/q5e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip bc3b7f1af580c86302a0e14d9d4c78465d367d541a40b412b77b295192c63580

FormBook

Executable exe 7050254375f80a115a4a4a497bd423bcedd3b5bf2dcd8aceca58376cbc6b23a2

(this sample)

  
Dropped by
MD5 b79f17c71761cda547aa9f9714b939b3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bc3b7f1af580c86302a0e14d9d4c78465d367d541a40b412b77b295192c63580

Comments