MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1d8dc3627d6274bbc44d637008958b06acf5c9bd4de3d3c8c9229552956d7c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1d8dc3627d6274bbc44d637008958b06acf5c9bd4de3d3c8c9229552956d7c5
SHA3-384 hash: 10deef6e018e5ecc4b36b52f7d72463405f3060c41440f4db2378a72b020d7df46fc0c07e264abf268829e2732e200dd
SHA1 hash: ba0a884ecc26ea4ac0ebd408cf9bb4445241b3a6
MD5 hash: 55f0bb4a95a994b65f5dd90d8fcab710
humanhash: autumn-leopard-jersey-avocado
File name:PO#9534755789.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:368'128 bytes
First seen:2020-06-02 12:58:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:Myh0M1voP4uLW6ZLG+UF/+GSwXPJh/dWkSgAJZH1IxCbLYlLX1x6pV1JGNUx:M40MVoP4uLDZ7n0XBltOJZHCxsLYJXXu
Threatray 5'401 similar samples on MalwareBazaar
TLSH BA749E10D39CD997CAEEC6BCC8D6650483F190EF694BE356E8A164F79A43772AC0134B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.genonop.tk
Sending IP: 94.177.243.187
From: Hans Karlsen <admin@genonop.tk>
Subject: Urgent Order
Attachment: PO9534755789.gz (contains "PO#9534755789.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 00:45:10 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhmnynrh2ytuxpce2y3qbckywbvm6xe32tpd2pemsiuvkkkw27cq._file
Verdict:
malicious
Similar samples:
1dd89cec8476c901750387a54eb0cce63addcb6037d96de9a78fd736531f9390
FormBook
2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
7d65c5f831361d3e7441c49dfe9e5a286c1b142fa1315c3460e144b240a2afaa
FormBook
7d667845924245b2c6acee25a643afab5ad0a822614574c93cbf19ff0bb4f8c4
FormBook
7fab1d558e165d232858902d7774749256fb81c20ded2487bbc3b7b2cd0d1507
FormBook
80d185a291cf5c72cf84c63a49ade7e9d7363a3721aa2967c9d143c7d29fa03d
FormBook
8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e
FormBook
b2d60c8915d3180d7416c1c7067bb63b0002145b7dfb0fecfb2899cbabf0c274
FormBook
ed21049192c51ab75191b0791aa7d746b86fc3bca997cea24726399a45a734cd
FormBook
+ 5'391 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-ctxjmfpq12/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.masionlex.info/uc02/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

cca163332e4ee883e0fe0592cab631bf

FormBook

Executable exe a1d8dc3627d6274bbc44d637008958b06acf5c9bd4de3d3c8c9229552956d7c5

(this sample)

  
Dropped by
MD5 cca163332e4ee883e0fe0592cab631bf
  
Delivery method
Distributed via e-mail attachment

Comments