MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89ff5517452e28f7853a015903ba0573e53d05a36095774e186022944945a5a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89ff5517452e28f7853a015903ba0573e53d05a36095774e186022944945a5a5
SHA3-384 hash: d064230b1b9c07a60fa733f7353b1bc8bede6e0ab88d03e32f8675fc1f5195acf4fd1979e74e1c24555ae71dada5f382
SHA1 hash: 8ad203813a8834ebe74a33ddd04a6995d390b398
MD5 hash: 10376452778739924417c8d5e84c523d
humanhash: magnesium-cola-potato-seven
File name:Attached new order,jkl.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:257'024 bytes
First seen:2020-07-03 15:39:40 UTC
Last seen:2020-07-03 16:38:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:DfvGu62pRc5B5olxNhuFdQALeZKhxcXaQ7B27Yj6:zv962pmv5olQ1Q7wc
Threatray 4'727 similar samples on MalwareBazaar
TLSH 4F44CF796AB7D5BAC4CA0B79A9D6E158C27E9E437901D3C8D924FCA83A33313C05494F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mout.gmx.com
Sending IP: 74.208.4.200
From: Agustí Via <agusti@arcticmail.com>
Subject: Re: Re: Attached new order
Attachment: Attached new order,jkl.rar (contains "Attached new order,jkl.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18756/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.362.19482.20089.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/89ff5517452e28f7853a015903ba0573e53d05a36095774e186022944945a5a5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-03 15:41:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rh7vkf2ffyuppbj2afmqhoqfopst2bndmckxotqymarjiskfuwsq._file
Verdict:
malicious
Similar samples:
0a6caea4ce7bf55029e1f01895a6c653fb2c5166f76dafcf94956dd8915e4eab
FormBook
0f8acbcde0c3f0f60b101a72f778b7d29a9a799f607e4ec00aa28dc734d0fbfa
FormBook
1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298
FormBook
48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
9a4f09a04f936d38799360de7c824701e635ce56d7d014903a6934626c3042a0
FormBook
b64442a995a9b13bc92c58cb492ba2ca7a5c8d3a21ac26c6cda19faa42796ceb
FormBook
cee1dd4dab302f51c7a8d824e8672bdabd4bae2ef03c015b96702e8ce5e8b70f
FormBook
f646b35153e14b1c060f94dfa4e3467165946dd9720b8ed63c2e8b144f132f22
FormBook
fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733
FormBook
+ 4'717 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200703-ybvzm1k6d6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Reads user/profile data of web browsers
Deletes itself
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar df9cdb7a753de11d64cffe82dc94590f2e5fd6b8b6279aba884b739ebcbd7df1

FormBook

Executable exe 89ff5517452e28f7853a015903ba0573e53d05a36095774e186022944945a5a5

(this sample)

  
Dropped by
MD5 9b628736bffbeb04e8185dc85c6ee88a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 df9cdb7a753de11d64cffe82dc94590f2e5fd6b8b6279aba884b739ebcbd7df1
Cape
Cape
https://www.capesandbox.com/analysis/18756/

Comments