MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 811b6950ba9561169b22ccfc12daf0fc57f26a910272f56288bd0d7c10da5c15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 811b6950ba9561169b22ccfc12daf0fc57f26a910272f56288bd0d7c10da5c15
SHA3-384 hash: 85c6d34e81d0f36c5642c6323e0faa4e12005b247ffa4354c8e119aeab02b61432e184a402787c6eb30ab0f72633cea3
SHA1 hash: 31d76093e29c3cf930c6f049a87f346fe85fdd78
MD5 hash: e05a0e4c1c58a65a562fada396783b93
humanhash: xray-fourteen-river-sink
File name:CANAL PDA SUPPLIES RQT-pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:728'576 bytes
First seen:2020-05-27 05:12:15 UTC
Last seen:2020-05-27 05:53:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b590093cfa7d297eb222f9e91c3903a (7 x AgentTesla, 4 x Loki, 3 x 404Keylogger)
ssdeep 12288:2cSxZThBBXdHeFh3GfGMMYQ87VF2Mlc00ypARjuW62c8UBKn:WLvjHeWfGMG8r2sF5pARo2Dc
Threatray 4'579 similar samples on MalwareBazaar
TLSH E0F49D26E2D0C437C1771A3D9D1F5B74E82ABE712A695D7A2BF49C0C9F382913836193
Reporter jarumlus
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 00:12:00 UTC
File Type:
PE (Exe)
Extracted files:
264
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
040e2a7b73768aea00579bd04fa834afa4b33966459c4c9d4c4cddfb7cffe8c0
FormBook
1c7388bfdfb41e34dc95423b351d3b18d737889d9f8648da0ce24048d6e2f495
FormBook
1d24189fffd0bdcb0395a3670721f29f37d08bd80565471db28d45ac36b2cbc9
FormBook
1d26a5cf8e279ddaa3ad924224219b550f7d431e8d6adbcb7bd36c01d4eae2d9
FormBook
2fdb0d7b083751a10db872738e974f869b99f2ca21891a5fb96bc9440f827ffb
FormBook
3f256c15a96f8f556978318a55308e3ef709f29d93a18d0c2d262f305477cfb2
FormBook
490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd
FormBook
5ef5d6bc0c7af14274c71cdc4377785a79143786556262137f496a94170ac56b
FormBook
bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a
FormBook
c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e
FormBook
+ 4'569 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-tw3yvddyzs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/hm2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 40519328e5690783cfc2b695315712675722442c18a882a2064e46d616092a77

FormBook

Executable exe 811b6950ba9561169b22ccfc12daf0fc57f26a910272f56288bd0d7c10da5c15

(this sample)

  
Dropped by
MD5 7495288c4aa0fb280f8e772fdd860e33
  
Dropped by
SHA256 40519328e5690783cfc2b695315712675722442c18a882a2064e46d616092a77
  
Dropped by
FormBook
  
Delivery method
Distributed via e-mail attachment

Comments