MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dd3e9f82cb60189361dc9dd1b4423810bdea1ef095db0362513817b87ce9c2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dd3e9f82cb60189361dc9dd1b4423810bdea1ef095db0362513817b87ce9c2d
SHA3-384 hash: 6567e01846133c7957bbeec5c4428b6d58f83d1539a331aa5f720fbc38b92c44554cf4c4dad7bf04ca847c3526bed175
SHA1 hash: 3381b5357c625c75acf68051d14504ff1c7cab2b
MD5 hash: 056aad6556263b23fcaf1c76d7b89eed
humanhash: high-seven-floor-don
File name:RFQ.22.05.2020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:316'416 bytes
First seen:2020-05-22 13:55:04 UTC
Last seen:2020-05-22 15:01:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:ZZM4xgFJTRM21/Aj0IZczDXtt0TE3+UkInqLt360el:fRwDM21YjrydJ+U3+t360
Threatray 5'346 similar samples on MalwareBazaar
TLSH 7564F24927F8672ED63E47F8A4A5541113B0A13B5513EB1D4FE250CF62FB3208BB1A6B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: vmi339081.contaboserver.net
Sending IP: 62.171.133.25
From: Cang Sales Manager (MULTI SERVICE LLC) <info@movingcargologistics.com>
Reply-To: smulti996@yahoo.com
Subject: products inquiry
Attachment: RFQ.22.05.2020.rar (contains "RFQ.22.05.2020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.224337.4318.7501.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 14:35:57 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0707523c23666b0535673287616ea82b34e810594ddf19c45a0746d1bd697070
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
783c6835be34af1803983890ec14e1edb2ac7cef4442dff43cddb719d97236b2
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
e8172cbc3806d750d00a5619e618ffc068b9d8247b5f4da507642e70e32ac3f9
FormBook
ee4ae13d3fd3b58d86e270db11937476b4b7add1673983c2c28ed4d7dcc75552
FormBook
+ 5'336 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-de5fcxlyxj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.yofdyk.com/cns/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 3f7e84e602506931f1429c50dea18666d20851d26a083a7a8351d2360498dc66

FormBook

Executable exe 8dd3e9f82cb60189361dc9dd1b4423810bdea1ef095db0362513817b87ce9c2d

(this sample)

  
Dropped by
MD5 ec5bdc1349ab1d1fbc5d952d080f1fbf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3f7e84e602506931f1429c50dea18666d20851d26a083a7a8351d2360498dc66

Comments