MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fab1d558e165d232858902d7774749256fb81c20ded2487bbc3b7b2cd0d1507. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fab1d558e165d232858902d7774749256fb81c20ded2487bbc3b7b2cd0d1507
SHA3-384 hash: fe421ad4e3d050a82728e0371ac63e82660b7f30b1987d1a8f0b0ad514948382eb9a992b8c21fd5f8f3ed9a7252522cf
SHA1 hash: 5efc1d2bd0f14e7acdb014eb96b237a92adfe40e
MD5 hash: 1b72515c39d35164db37e1655399502d
humanhash: lion-cola-pasta-pip
File name:img_06042020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:407'040 bytes
First seen:2020-06-04 07:08:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:sgXX5EUB7gIglvI9yDoS+sUaXAxJpc59yv90VyF1SYrjTX7/c/Jkf8SHt6Oa2:HXTVgIglvI9yT+sQxo5Yvln7US86
Threatray 5'182 similar samples on MalwareBazaar
TLSH 8A84AE2A43A8DB66D69D47BEC9D150414BE58DEB8E4BCF899C9574FE09333A3D80210F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: relay02.poa.svr4u.net
Sending IP: 180.222.177.75
From: Eric Zau <eric.z@zjlmi.com>
Subject: Payment did not go through please confirm details
Attachment: img_06042020.img (contains "img_06042020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 01:25:00 UTC
AV detection:
17 of 31 (54.84%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6vr2vmoczosgkcysawxo5dusjlpxaocbxwsjb53yo33ftincudq._file
Verdict:
malicious
Similar samples:
1dd89cec8476c901750387a54eb0cce63addcb6037d96de9a78fd736531f9390
FormBook
2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa
FormBook
51e2e890ac898a62cb6478414ac1079df55a036da252026d4f5c8f7f09e400b3
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
80d185a291cf5c72cf84c63a49ade7e9d7363a3721aa2967c9d143c7d29fa03d
FormBook
8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e
FormBook
a1d8dc3627d6274bbc44d637008958b06acf5c9bd4de3d3c8c9229552956d7c5
FormBook
a8fb290af4d6f3cb59e034cfb61e7c6981f246c98c1929b35302bca73a05a472
FormBook
bb87a6186306d0417e723b3ae04b70193f32d8b5fe479de840ed10f243234c4d
FormBook
ebb20ece00b9d35c26bb797dbbbd6df726473e198a53095cb232dc8042c18d7e
FormBook
+ 5'172 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-c5swda151x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.porcber.com/mq3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img dd792d4dc5f8a4a0b08f4c8a9ea07372721b82f9d08fe223f1071165c106d0b6

FormBook

Executable exe 7fab1d558e165d232858902d7774749256fb81c20ded2487bbc3b7b2cd0d1507

(this sample)

  
Dropped by
MD5 dd70388a7ab2ee599c3743dbb32ca3b8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dd792d4dc5f8a4a0b08f4c8a9ea07372721b82f9d08fe223f1071165c106d0b6

Comments