MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fcc3e95c54613cec5176ad7aabc3a5d498fb608d825f98a087ce6784fdad992. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fcc3e95c54613cec5176ad7aabc3a5d498fb608d825f98a087ce6784fdad992
SHA3-384 hash: 2103121acc56c25d343b8019057668d92f6aa63ec80a414b6058837279d668422952c0648c04f3000624dd1e7ba8f047
SHA1 hash: d4fc14325a4a3ca7fb259bbdd95ae15ee47081c1
MD5 hash: 82dd8a6c5f49f0dcff5c10e62571a3c7
humanhash: queen-california-winner-don
File name:tq9604oy0Xa6q6L.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:343'552 bytes
First seen:2020-06-24 06:36:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:7lGQUlhd3PUeMfwlH4OzY8rLj2jSW/iR4V3qwAbY2N1pTnQpLy:7l3UVNMfwlPPXIV3kbYeb2O
Threatray 5'112 similar samples on MalwareBazaar
TLSH 4274F11B3BACEA27C23809F580D12F4467B66DAB6566F7E81CD132D998C37E159302C7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: n1nlsmtp03.shr.prod.ams1.secureserver.net
Sending IP: 188.121.43.193
From: Sales-Mr. Tipakorn <support@fffmed.com>
Subject: RE: Payment contract invoice
Attachment: tq9604oy0Xa6q6L.zip (contains "tq9604oy0Xa6q6L.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13487/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8fcc3e95c54613cec5176ad7aabc3a5d498fb608d825f98a087ce6784fdad992/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 02:12:34 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7gd5fofiyj45rixnll2vpb2lvey7nqi3as7tcqiptthqt623gja._file
Verdict:
malicious
Similar samples:
1423f45cfa5d62d8910075b3cc15855237e0a0bc2e2c18a49b94f0cc8d592602
FormBook
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
1e1a825c158fefa17df9237a4be60bc99e1a2a42ded631c8636b6af668b1627f
FormBook
38cafe26c2a04715f175182f36462f482bdbbcb1d875654b9ac1242c29f50b06
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
9f53e0ba2145f3e5c599392f4420513df545be0f4a5034310eb149672d5c44e5
FormBook
cc02c528f1eccf6891f5c97815c5c97560ca1c92849e35669bf061cb55e6289b
FormBook
cc296ddd36ee729fbdea514a26f387b2b5e88dc6bf3c61c68fb27572703acbb6
FormBook
eb1cf2b146f8b3e00e50f11059dc62dc6cd9aaf359c25cb4dd82834a4d28c8e8
FormBook
+ 5'102 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200624-j8krsl2qcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 53230e1e4633bff19359e6ee0490bb5833d44ab87126dcfdbdfe62ddefc54782

FormBook

Executable exe 8fcc3e95c54613cec5176ad7aabc3a5d498fb608d825f98a087ce6784fdad992

(this sample)

  
Dropped by
MD5 6c2cfd10c3b631e11fa589430d278017
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13487/
  
Dropped by
SHA256 53230e1e4633bff19359e6ee0490bb5833d44ab87126dcfdbdfe62ddefc54782

Comments