MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89a226afd800c763daf6097a05275bb5e100b168e8c3fa46a73807075dcec45c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89a226afd800c763daf6097a05275bb5e100b168e8c3fa46a73807075dcec45c
SHA3-384 hash: 29e8ee5beca6c92bcbc8f66f36c835e7beb5ba776f07d8fea842951d817c25a1ac0f11458d056dc2e8d633c0b86e3fbe
SHA1 hash: 92330e008dd1b9447ce31e319ecbfbf6c3f37880
MD5 hash: 7120183d4d86681c75e815a27b362f4c
humanhash: thirteen-moon-pip-mountain
File name:AWB 67389928.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:335'872 bytes
First seen:2020-05-18 06:26:14 UTC
Last seen:2020-05-18 08:23:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3dcb6238fc1bc29ea0e884827788b475 (9 x FormBook)
ssdeep 6144:R722779D82bunWN37rId+VVc+XEgcBXDzdkO:R7T9DTrfIqOi9cBzzdk
Threatray 5'325 similar samples on MalwareBazaar
TLSH E0649D26A92CCEB8D63F507AB986CC9A9ECD5CF3905F9C96D538E300C47DA81C546336
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

From: "Kirschstein Jorge" <jorge.kirschstein@dhl.com>
Subject: Shipment Notification - (AWB 67389928)
Attachment: AWB 67389928.gz (contains "AWB 67389928.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-18 07:26:00 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
23 of 30 (76.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgrcnl6yaddwhwxwbf5akj23wxqqbmli5db7urvhhadqoxooyroa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
0d567b16454b8c3be5e7dbc796bf7049c0eb18ba9a625d6b5f45eff7202aaf70
FormBook
12cb6d99b66fe413685b633d1238a5695aa8dc77489bb8ab23f8dd15012a0653
FormBook
165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d
FormBook
22f4207de77f987b6791843539e25e05ff3f6c010e805330210399e23c323b87
FormBook
2b62f1799021ec3671db2883f808f73b3ba1970abb8c76eff529f2b32250c333
FormBook
51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501
FormBook
5767bcddaf9404e411f25e457d8af27eeefa15515f415e901b6e7412708e5209
FormBook
ca3ab25a8c3213aa08113b09cc4b60df1d2c440aeb0e02c1e3bd192a57f86208
FormBook
d6330004986cb2968200bad58cb3f1135e2383d9bdf6894feff0f28f952f4c2b
FormBook
fff1c46e62b2f3a4e202e05aebfc1e7d72b8b3c540912fe18f4b97dc4ab50e55
FormBook
+ 5'315 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-8h3c9zanwj/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.domaky.com/a0u/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

gz 325758a02acf2941d5c137eee264908cfb83f721ccfc902570e64a3dbcdbeb4d

FormBook

Executable exe 89a226afd800c763daf6097a05275bb5e100b168e8c3fa46a73807075dcec45c

(this sample)

  
Dropped by
MD5 38120af0aaa9a4155e177e2e947c8b73
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 325758a02acf2941d5c137eee264908cfb83f721ccfc902570e64a3dbcdbeb4d

Comments