MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f
SHA3-384 hash: 9dfa5ae61e2b309c17a2d531842f9d9893e49d9958ed76ce22a347ae0e127734a00cf34ae243b8aa3a3382fd3a2f1740
SHA1 hash: 4ecb1653d52451d13684c5e038e935894b725c01
MD5 hash: ae4f96004fa7189b83476505c1241971
humanhash: neptune-seventeen-hamper-lamp
File name:Attached new order,.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:306'688 bytes
First seen:2020-07-02 07:54:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:7OPtVfFPp70G5EvZfCB0HGNWjALez+bjP8ZrNEXSj:iPtnx4vevIALXPShE
Threatray 5'112 similar samples on MalwareBazaar
TLSH 0664AD346BEF8224FDBD1A70DAB6424802337CA46936D32DC64C715E2F77B4986517A3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mout.gmx.com
Sending IP: 74.208.4.200
From: Agustí Via <agusti@arcticmail.com>
Subject: Re: Re: Attached new order
Attachment: Attached new order,.rar (contains "Attached new order,.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18386/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WQV.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 07:56:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmptr2qare3jd4psajwjedthkvmv4oght62d3nqtnk4n5zuvivpq._file
Verdict:
malicious
Similar samples:
3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3
FormBook
73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d
FormBook
7e1cc3c2c72032a35e00a39574018d4dc7b5c8b4a2b52e865be86cea4fb03436
FormBook
836e10c649bce22fed99ea498ea2f36c8d7e832be5be20de60a4f0a13db71ed9
FormBook
8ffe1634ec406dc2f1db74d9dd90ddf64b3abf2e42d491406b758d177747213a
FormBook
927ea99a59336bb821aa9062c686d43e3022224f56c6f34338218ddc6e165cfb
FormBook
bebdb4d1e77c1b459833876c8599ce54d46bcba89e3c8d13c1add73723648fb9
FormBook
c629f38c249f5f8a7da9911fae23c88120e4a750e3dfc52578396094a7ec7dcd
FormBook
f646b35153e14b1c060f94dfa4e3467165946dd9720b8ed63c2e8b144f132f22
FormBook
fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733
FormBook
+ 5'102 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200702-ycwl24m6za/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar b864e36933737d4dfda98387deff03cf5113efbdff664630518697f479c18052

FormBook

Executable exe 7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f

(this sample)

  
Dropped by
MD5 fe59c0268992a6cb4ffac2bd5dac91ee
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b864e36933737d4dfda98387deff03cf5113efbdff664630518697f479c18052
Cape
Cape
https://www.capesandbox.com/analysis/18386/

Comments