MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9892174fb6554517088a27486a3e7e71e3f0375121055dda6aae664a5f3470da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9892174fb6554517088a27486a3e7e71e3f0375121055dda6aae664a5f3470da
SHA3-384 hash: c19dd4be011ceebb1e915d033b920b6065a59a10a684c159218423bb7c38350dfdd44b73226b9df54fac8ddcc4653883
SHA1 hash: 2e30f32ec1d9c20cd254706a597832af5858e78b
MD5 hash: 8f268111b901220181c487166e8ef210
humanhash: twenty-queen-summer-cold
File name:PO-SK319202011.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:341'504 bytes
First seen:2020-05-11 14:21:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:UowgkIz8qfC8k3cwaX0il0gtExlFE5aS/XWXB3oQRwO6O6g3I3kEQFZ7d5MQu8MD:Gu8qfC8k3cwaX0il0g8BYfvO6YEQFZ7M
Threatray 5'223 similar samples on MalwareBazaar
TLSH 7A749E0436AC6B7AE4B66BF52AA49451D7F2706A3852E76D4CD115CB82F4F40C8B0F3B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: sellerbulknewsservice.live
Sending IP: 117.50.10.149
From: sales@sellerbulknewsservice.live
Subject: New order
Attachment: PO-SK319202011.zip (contains "PO-SK319202011.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 01:36:29 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcjbot5wkvcroceke5egupt6ohr7an2reecv3wtkvzteuxzuodna._file
Verdict:
malicious
Similar samples:
293f8c9b635a869a00e4f0d275c8a3e8f358242e4813e443282cbc5ceb8f099d
FormBook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
FormBook
538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
6c45a4d4ed82e89fc389c64729ef65d08fa313ad92e0818f6c1fa96156d66f4e
FormBook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
FormBook
bfa0531240e8ae03aee76df45f9e4c8748ad739a63f47c81269d7b2ca05fc329
FormBook
cf43cf001b3d13737742128ccf4916e2275fbd1ee0270b884a1d3dbc360f962e
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
f99691f533ca56e970f2be2d26ea424ac50bff2aa2bfd43482d0a166bece71eb
FormBook
+ 5'213 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-zwkwa6wy96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.salomdy.com/rmj/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d20f8ec352c5e6009593b713b9ea588a

FormBook

Executable exe 9892174fb6554517088a27486a3e7e71e3f0375121055dda6aae664a5f3470da

(this sample)

  
Dropped by
MD5 d20f8ec352c5e6009593b713b9ea588a
  
Delivery method
Distributed via e-mail attachment

Comments