MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8078d97844b57f9ee1521ac19ed0382b13c249a5fc9440d72e032589d1bf1280. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8078d97844b57f9ee1521ac19ed0382b13c249a5fc9440d72e032589d1bf1280
SHA3-384 hash: 50878e196d0c1cb213a6847a98601d58b5c249682799ed32a9d06b1d75fa724562ebaac24b7f6ad414b98ce60dbe7d31
SHA1 hash: f2be0ffde65d89c9c591fb531af3b21e6b78b9bb
MD5 hash: 4c535d6a27a8da414e35237f211da107
humanhash: floor-double-seven-louisiana
File name:2020518.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:262'144 bytes
First seen:2020-05-18 06:25:17 UTC
Last seen:2020-05-18 07:11:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:0ClbHQvtA3GseVqTh98oMJuoMYeZtI5i0xNlFWHUVFxJP3KNBK0Qxxc1JHhwltEQ:rlbH626UxMkoMjuT7OUVPxKNs0Qj31y
Threatray 5'245 similar samples on MalwareBazaar
TLSH 3E449C3C5FA90337D1B5C27C5EE40D9FB74066373A717E2C96FA03A94226762A4D122E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: cmhk.com
Sending IP: 37.49.230.164
From: "Sūn Démíng (孫德明)" <relation@cmhk.com>
Reply-To: yingzhang67@yahoo.com
Subject: RFQ/ORDER #2020518
Attachment: 2020518.zip (contains "2020518.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis4C535D6A27A8.29837.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Mbt
Create hunting rule
Status:
Malicious
First seen:
2020-05-17 22:11:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 30 (76.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qb4ns6cewv7z5yksdlaz5ubyfmj4esnf7skebvzoamsytun7ckaa._file
Verdict:
malicious
Similar samples:
2ad7a9c76778a5cbbf458819852689c82153acca51da8fe58eed37c126d5b755
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
5e511d66664d13e1276eb5d08ea2e48e004a614d114f2b35c2a742912694dfd7
FormBook
70399b135fa0365dae66a01b072dd8614be73c7ff2b4cc51caeeef64dfc60ef5
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
+ 5'235 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-ye9lv5jnls/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.tromagy.com/hlr/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip eb20060ecd58c9b4e32d132bfe44f27236c0a66b497c38deb328a973fc8881d4

FormBook

Executable exe 8078d97844b57f9ee1521ac19ed0382b13c249a5fc9440d72e032589d1bf1280

(this sample)

  
Dropped by
MD5 fef1635a3f99a3dbbd41d96b08141f19
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 eb20060ecd58c9b4e32d132bfe44f27236c0a66b497c38deb328a973fc8881d4

Comments