MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 953a210d8cf8b14a042c8e655b497fa5623cc5e557cddc7c79a418fe826c5e2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	953a210d8cf8b14a042c8e655b497fa5623cc5e557cddc7c79a418fe826c5e2d
SHA3-384 hash:	c77c46887b71ebe6f149cf9f5b3ad5c7eab684a01c44b6c7c30b4dc2b1286987c8d743f994ccedd20e3779bf8978fdbe
SHA1 hash:	226f4567e8d9705d85e817a28caa4a7a81454358
MD5 hash:	f6324df8278eea878d3e6cbc84a9ffe7
humanhash:	aspen-asparagus-fillet-oranges
File name:	Order NORM-761-0.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	310'272 bytes
First seen:	2020-05-22 06:09:29 UTC
Last seen:	2020-05-22 06:41:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bdd6da0cfc85ae3bc242c14502b5244a (2 x FormBook)
ssdeep	6144:h8MezGZ5+07OQRjGrVU8/n+4AmKaTfVUSX/VQzRQAXDzdke:vyGwCCF/+HcjVUS6z6Azzdk
Threatray	5'298 similar samples on MalwareBazaar
TLSH	FB64CF26EA395A3CC5BF60B87AD3CDB69EC61893A42F4C59C11CC150C57DB81CAA7237
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: mout.gmx.com
Sending IP: 74.208.4.201
From: Jan Rapcewicz <hankbaum4@linuxmail.org>
Subject: Purchase Order NORM-761-0
Attachment: Order NORM-761-0.exe

Intelligence

File Origin

# of uploads :

2

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-21 20:20:49 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

23 of 31 (74.19%)

Threat level:

2/5

Verdict:

malicious

Similar samples:

234feef75ecf92d540072179eb153e188eb548237ca875ca54c9654c0dbb38fa

29b04cd4f25b88b9f35f2e7a34569415b985677834d699255e417a0ed62d68a8

436ee1bd9706512d8884d07a51f806155ca2d95b3a584ceb57a87260cf19690d

440210947a4e6ccdc60e1447ee39bac99cb2e3806b3d5db06d5758cc4ac6cc50

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264

c6bed06259f7c50c2b15e8161d5b1fa11690e69a7e5bb3261202debfb7d96708

c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348

d2a6e56b5ef7724907cceaf6ceb9da2a31012988169b8612248fd3b299e3d821

e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4

+ 5'288 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan persistence

Link:

https://tria.ge/reports/201109-hq3krq4pfx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.chilogae.com/mw9/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 953a210d8cf8b14a042c8e655b497fa5623cc5e557cddc7c79a418fe826c5e2d

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample