MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ddbf1453097473cfa4eb4c1a28a6f4a2ecdac3b24179e6fd88d3444bf96ec23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	9ddbf1453097473cfa4eb4c1a28a6f4a2ecdac3b24179e6fd88d3444bf96ec23
SHA3-384 hash:	77d66e383c9799aaa31290879ebccb20c07ff5970b2c4a7186c3311743a2e49db045150e4f3d2ceae4f2ee8f876118e1
SHA1 hash:	46b8332774561f3bd4e78f7d000c4ad818b72e55
MD5 hash:	e865f64e36ea59737f07f07cd020ff9b
humanhash:	cup-social-queen-seventeen
File name:	PI6354.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	575'488 bytes
First seen:	2020-08-18 19:36:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:O+7Xs6oXa9oLaAp3CWRIvz1avTsM5OZSjpEAHjcPL:PsH4oLaqCWRyJCslZSVxg
Threatray	2'240 similar samples on MalwareBazaar
TLSH	ECC4E12232D4D674D1B6433ACC99786403FABC06E511DB6EBC8CB2DD1A31F924B626D7
Reporter	abuse_ch
Tags:	exe FormBook Hostwinds

abuse_ch

Malspam distributing Formbook:

HELO: hwsrv-761734.hostwindsdns.com
Sending IP: 192.119.110.150
From: Wang Lu <office.alger@legrandelectric.com>
Subject: Fw:Re: Enquiry for New order shipment
Attachment: PI6354.img (contains "PI6354.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/48067/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/9ddbf1453097473cfa4eb4c1a28a6f4a2ecdac3b24179e6fd88d3444bf96ec23/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-18 19:38:12 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=txn7crjqs5dtz6sowta2fctpjixm3lb3eqlz436yru2ejp4w5qrq._file

Verdict:

malicious

Similar samples:

0e596eee578e5cc009d172a7dbae0cf150bbf925360389b9961e67c60ab8f3a2

15f8cb0332203ee3305fb863a9f833d41266f9be9d677aa7ece33bcee8441498

474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f

700f8405954cf77a38e6b103b33e4c7164202e9126b3b76044be35510b2bf440

9e594cbc1aeadc0f9cf66b2af98f4f4ace29deaccd67529cd3da1d44e2d50ccf

b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634

d05efc3d09d7c08668da10c09101815e0af2f3376a03512e959ca467835b9c26

e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4

f80c8e9d0e8ed0ffa6b7d8620a0eb890deb7c9dc84dca3198b3d2625bf5d1099

fb0d1b0c62204ebfb2e04bcc607e562f398bf0cd40a275ace02ca34bed1d355d

+ 2'230 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200818-3ap8gt7ecn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.lonxer.com/hgn/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ddbf1453097473cfa4eb4c1a28a6f4a2ecdac3b24179e6fd88d3444bf96ec23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img b28197e7b6c5e25313337c79d7d69bffa92a40178643c1f79505eea1310c3eb2

exe 9ddbf1453097473cfa4eb4c1a28a6f4a2ecdac3b24179e6fd88d3444bf96ec23

(this sample)

Dropped by

MD5 e32d9d17b648dfe8d18bceb04f275cdf

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/48067/

Dropped by

SHA256 b28197e7b6c5e25313337c79d7d69bffa92a40178643c1f79505eea1310c3eb2

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample