MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d
SHA3-384 hash: 25e0eed3a74bfe57d64bf5df069524b7f0e482c6bd05784e0d32ca457dae9037567dd175a5848f9985704a2e4e890367
SHA1 hash: d757254a67a2fb58dd7c0442c9e7a30fcfbffb55
MD5 hash: 48d916a2db55db964d210eb1bb7597dd
humanhash: twelve-three-eighteen-moon
File name:Purchase order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'320 bytes
First seen:2020-06-15 05:26:04 UTC
Last seen:2020-06-15 05:42:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bf3276cea36987fb223f1040f855c23 (4 x Formbook)
ssdeep 6144:mtf1++NVjSj/mK3GHFdSyBlS+S9hwkV9b:mnfH0mfSyBlS+ohwAZ
Threatray 5'080 similar samples on MalwareBazaar
TLSH 4134CF1A20B8CA7DF835E13C261D4EDA5765FC16937170EF66E47426D9E32830F29A32
Reporter abuse_ch
Tags:exe FormBook GMX


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mout-xforward.gmx.com
Sending IP: 82.165.159.131
From: Admin Danny <euphyfotiles@net-shopping.com>
Subject: Re: Re: New Purchase order
Attachment: Purchase order.rar (contains "Purchase order.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10205/
Detection(s):
SecuriteInfo.com.Win32.Injector.EMJS.13732.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 05:09:05 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ooyioviadkuecnt4s2kxnjm332duti4sm775jdziwvzy2uy72fwq._file
Verdict:
malicious
Similar samples:
3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3
Formbook
7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f
Formbook
7e1cc3c2c72032a35e00a39574018d4dc7b5c8b4a2b52e865be86cea4fb03436
Formbook
836e10c649bce22fed99ea498ea2f36c8d7e832be5be20de60a4f0a13db71ed9
Formbook
8ffe1634ec406dc2f1db74d9dd90ddf64b3abf2e42d491406b758d177747213a
Formbook
927ea99a59336bb821aa9062c686d43e3022224f56c6f34338218ddc6e165cfb
Formbook
bebdb4d1e77c1b459833876c8599ce54d46bcba89e3c8d13c1add73723648fb9
Formbook
c629f38c249f5f8a7da9911fae23c88120e4a750e3dfc52578396094a7ec7dcd
Formbook
f646b35153e14b1c060f94dfa4e3467165946dd9720b8ed63c2e8b144f132f22
Formbook
fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733
Formbook
+ 5'070 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-fee2gtvjpe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.glamotd.com/fgd/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 4ea6272e1f128a8982662efaf88e4ed5531f2f40002fd2d230726d0b2d676fa7

Formbook

Executable exe 73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d

(this sample)

  
Dropped by
MD5 79b20bb674a377a6ddd0264e506cb495
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4ea6272e1f128a8982662efaf88e4ed5531f2f40002fd2d230726d0b2d676fa7
Cape
Cape
https://www.capesandbox.com/analysis/10205/

Comments