MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 783c6835be34af1803983890ec14e1edb2ac7cef4442dff43cddb719d97236b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	783c6835be34af1803983890ec14e1edb2ac7cef4442dff43cddb719d97236b2
SHA3-384 hash:	3ac69798897cc4ad6fd9d70399fb5b1b4b9a29a14f793f40f461e6e071cae77274482a1473d8ee4f94498f3308e52b24
SHA1 hash:	0a2a8309d1ffab87c96392d66af150a173e6d75a
MD5 hash:	319112103cffdcf74d0090cbc89e70c5
humanhash:	ceiling-sink-nuts-hydrogen
File name:	Bank_details.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	328'704 bytes
First seen:	2020-06-05 10:17:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	3072:8wTYteWMCI3bc87CDZOPoY+slmfNdI4+IPgOTuOT5O8Y12LuvhbFUgwYWlkz/Td7:8VeWg57CDZOPlSaIPllT5PYDbFBWl4
Threatray	5'267 similar samples on MalwareBazaar
TLSH	0964E68C5CAEC0CAC6750FB846CED9EA46DA1FF30F229879B5C44BCBC521785F50A526
Reporter	abuse_ch
Tags:	exe FormBook MailChannels

abuse_ch

Malspam distributing FormBook:

HELO: brown.elm.relay.mailchannels.net
Sending IP: 23.83.212.23
From: gareth@bewandco.com
Subject: Re: bank details
Attachment: Account_details.rar (contains "Bank_details.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

72

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-05 07:49:39 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pa6gqnn6gsxrqa4yhcioyfhb5wzky7hpirbn75b43w3rtwlsg2za._file

Verdict:

malicious

Similar samples:

08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f

5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35

9c3dd49a5833197c8ded3093df9fa770129e196acf76de5a54ae3ae3e9580cb8

ada94346c3ea30c0fce4f35e075d45ca022923d8afc8c93c4895b5b05591a857

b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4

b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663

bf04f6a3d759b9ce48f004cc8667d1b30b97451bcef767932fa6cbdd96ce87e9

e3bdb2a06e43b09073cebd4f7a7fe633d45d1c6d149885f7b815cc591fe3b453

e58d299e799026f70c33649310efef0e2ccfa45514fa554dcc0f4eb9fbdf1cf2

e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c

+ 5'257 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-nv43ypxmye/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

rezer0

Formbook

Malware Config

C2 Extraction:

http://www.tromagy.com/yx5/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 07bb8a93f7d3775c5c6154a7865bbe02078b40bbe7f34d10a7d928257cd9b001

exe 783c6835be34af1803983890ec14e1edb2ac7cef4442dff43cddb719d97236b2

(this sample)

Dropped by

MD5 5e7108e0ad42dcf1dcef0f1681bdefba

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 07bb8a93f7d3775c5c6154a7865bbe02078b40bbe7f34d10a7d928257cd9b001

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample