MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f4f34d29b570678e75a8d37f943eca1e305f49e16e9ef39e0dd6a98746b164f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f4f34d29b570678e75a8d37f943eca1e305f49e16e9ef39e0dd6a98746b164f
SHA3-384 hash: 765814bcd9b9481470ba4a70549c02607fe2473db1b84f35232d4adba1c1dcdf2c59c29819fee9b3b268c93e6aaedd72
SHA1 hash: d2ac4651f62e02252ace08330bdaf127b65747a7
MD5 hash: 509fa7338854b9eb7b8af69556d07e41
humanhash: mars-virginia-orange-michigan
File name:PI ZTZZ20200330.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:568'320 bytes
First seen:2020-04-30 12:06:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oXTqaXRzaYjbdrXw3ri8hPPBJsCIHvbfkzMCsToYhBPFhF5vHgZk2hrK5cJB:ojiYjNg3yCpt
Threatray 5'079 similar samples on MalwareBazaar
TLSH EEC46C5C369071DFD527DE72DEA82C64EA25B877A30BC2079053229D9E2DA87DF101F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: 163.com
Sending IP: 5.79.121.92
From: Reman Li <tjfsulzk@163.com>
Subject: Re: Proforma Invoice
Attachment: PI ZTZZ20200330.GZ (contains "PI ZTZZ20200330.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 12:54:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5htjuu3k4dhrz22ru37sq7muhrql5e6c3u66opa3vvjq5dlczhq._file
Verdict:
malicious
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
753c4a5c9bceed532539009df6ac3e0aa3c131297a082a2ee8ce6e94b05ced35
FormBook
82033c587c540fbcaec2ffdc139b837868711343f8a4e9ae61c306426028ace7
FormBook
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
FormBook
8cac0e47c8769e535bb8d4c6fc749aec4be79589a303cc89144cf07b2ba91b91
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
f99691f533ca56e970f2be2d26ea424ac50bff2aa2bfd43482d0a166bece71eb
FormBook
+ 5'069 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

gz 60f57a1bb8880bb57c3a1c17f9aac31156a422b6bb0456fb9f5fd01b95eb1e2f

FormBook

Executable exe 9f4f34d29b570678e75a8d37f943eca1e305f49e16e9ef39e0dd6a98746b164f

(this sample)

  
Dropped by
MD5 c527bb3be5d446411f7f594f030b0afb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 60f57a1bb8880bb57c3a1c17f9aac31156a422b6bb0456fb9f5fd01b95eb1e2f

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments