MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8604f9cf7a68603106748dcd54ec4bf13f11ac46bf07d4fa0ec20d45b98e16c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8604f9cf7a68603106748dcd54ec4bf13f11ac46bf07d4fa0ec20d45b98e16c9
SHA3-384 hash: b5da9ccd2f09b1994a19b6db261c1f957c119940cd0902d2a4fb23e5b50918d683f2c082b78f3c1c6c2b977408fffbdc
SHA1 hash: d51c19eee0d10b17397de8103b81b91c0870bb99
MD5 hash: 9f0039672a32b1194ed354d62bac51a3
humanhash: winter-december-gee-juliet
File name:Ordine6005432.scan...exe
Download: download sample
Signature FormBook
Create hunting rule
File size:291'840 bytes
First seen:2020-07-01 05:36:55 UTC
Last seen:2020-07-01 06:54:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:lIR8foX7aZ7zJx7qe7at4CoNZp9GXJ6PYgOZUbF0RSiT5P/D:iRpXm7zKeOt4Co77GXVgHbqbdP
Threatray 4'832 similar samples on MalwareBazaar
TLSH 6954D05FE358935BDFDB173AE132211EAB32C2492E03E35F7A6D8595260E3885C503DA
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: 199-168-185-10.hdb.gsitio.com
Sending IP: 199.168.185.10
From: Chungheon Lee <euroistru@gmail.com>
Subject: RE: Ordine
Attachment: Ordine6005432.scan...rar (contains "Ordine6005432.scan...exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17570/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WOX.17189.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8604f9cf7a68603106748dcd54ec4bf13f11ac46bf07d4fa0ec20d45b98e16c9/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 05:38:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qycptt32nbqdcbturxgvj3cl6e7rdlcgx4d5j6qoyigulomoc3eq._file
Verdict:
malicious
Similar samples:
08c04f257dbf34e406e95901c084a0f00efd77ab0bb4d03ba228ecb3f9260d7e
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
8fb2b9dc001a9dda1b56963034f4957c33e13cf502ab963630100350c0143bce
FormBook
a1ad8bfdcc01c3b59fce9cf7c4ea716f46c5e562d1fbfda663a03fcb3b21fc59
FormBook
a777ab5f9fd6e6aa4f4d70b5168f4358c849f3ab461a3d15d315c83fe351272d
FormBook
c29af14bba547ce94a8a7c2d7f71d30ebd0df541b604b4dfa400700601755efb
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
fc7f170e0b18f35f5d150ec384f7d7db8cd790bdac22d469424515225ab30658
FormBook
+ 4'822 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion trojan persistence spyware
Link:
https://tria.ge/reports/200701-2e3k86xsdx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 3298fe51a40cb3c8e78679a13edfc4f1448ff2031ca790ef1a569b8528db3b99

FormBook

Executable exe 8604f9cf7a68603106748dcd54ec4bf13f11ac46bf07d4fa0ec20d45b98e16c9

(this sample)

  
Dropped by
MD5 d646beaf0a7a7e9d98248958d8d40001
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17570/
  
Dropped by
SHA256 3298fe51a40cb3c8e78679a13edfc4f1448ff2031ca790ef1a569b8528db3b99

Comments