MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81dc51cb4c9a375262666a59dc61a43408439f968b51f825f5e2193b990587c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81dc51cb4c9a375262666a59dc61a43408439f968b51f825f5e2193b990587c2
SHA3-384 hash: f2bbc2672204c843554e5cac99db1629006778bac3f5a046bd970a23067779c6dec9ae594fcca7682c4640b7f3f1245e
SHA1 hash: ddcbd0eca10da0093b7cd613da8ef7d032e68b1e
MD5 hash: 607179e2d115befd41a93ca7323c24e6
humanhash: lactose-bravo-finch-vermont
File name:Fax Message_encrypted.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:350'208 bytes
First seen:2020-05-01 10:59:44 UTC
Last seen:2020-05-01 11:56:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:SurMzrGfGeuMr/fDCHxN1QdmZVoNu4NaHo90/4d3vB0BkSmB:SKMzBeueDcxwdmvreco90/4dR
Threatray 5'107 similar samples on MalwareBazaar
TLSH D774D0BB6348CE96C8DE09B9A8BAC581DFF67CCB1D03E707446274A038773D1761658A
Reporter abuse_ch
Tags:eFax exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: walmailout07.yourhostingaccount.com
Sending IP: 65.254.253.58
From: eFax <salahudeen@awazigargash.com>
Subject: Re: You have a new fax message
Attachment: Fax Message_encrypted.zip (contains "Fax Message_encrypted.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.291.23664.23496.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 02:18:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qhofds2mti3veytgnjm5yynegqeehh4wrni7qjpv4imtxgifq7ba._file
Verdict:
malicious
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
75952934e5ef6bb74f29c3320ef112e219cc953dc5ed8c351d742448f61161ff
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
9fba6ffeb90dd242748718d8272a4942496e76a4f68bdb4dd42f93b044b5ed50
FormBook
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 5'097 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip a6a2c92b0ab8caca624524dd8a5fb38f28bfb5dc4c700ca36c86187e2e0ee527

FormBook

Executable exe 81dc51cb4c9a375262666a59dc61a43408439f968b51f825f5e2193b990587c2

(this sample)

  
Dropped by
MD5 8776813a3b98698f9405992feccaf043
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a6a2c92b0ab8caca624524dd8a5fb38f28bfb5dc4c700ca36c86187e2e0ee527

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments