MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3
SHA3-384 hash: e085d39049252d761b2ce7a528c217bed99f6abd8d9cdc1156f04316fff6d53b650dad51606f51fffce6ee22159c4f21
SHA1 hash: 9b41de7e652c801ecd1dfc266983dd1675d90a3c
MD5 hash: 3fa896fb15113a55eef386e3c00c6897
humanhash: may-london-uranus-princess
File name:HSBC Payment Advice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:336'896 bytes
First seen:2020-05-28 16:44:30 UTC
Last seen:2020-05-29 08:18:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:LlY9KE6OIY1/UK51TYTRW+F/hKxJ6bJ7gMpYKQNFR7wj5fvezvI:m1MK5t2RNhpCMpCNH70eb
Threatray 5'326 similar samples on MalwareBazaar
TLSH 4264E10123998F33E8BD87FE8452114547F5162B7A16F38CADD7A0EB6AB6F418910F4B
Reporter abuse_ch
Tags:exe FormBook HSBC


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: ip-143-95-1-124.iplocal
Sending IP: 65.75.136.136
From: HSBC Advising Service <info@hsbc.com>
Subject: Payment Advice - Ref: [HSBC1057025201] / Priority Payment / Customer Ref: [PI107057QT20]
Attachment: HSBC Payment Advice.rar (contains "HSBC Payment Advice.exe")

Intelligence

File Origin
# of uploads :
4
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.ELIS.10525.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 17:36:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e319c36c39c8504a0349445b2282bc450758b7e670a3477c0653b1daafffaff
FormBook
308336495b7fa2af7107a520ec1fdcaac4a0d615e0ecfd8ddd6090c72c3f46b6
FormBook
37812e3e7309cc0348c77208870cbeb44636a785dec26241fc6e392905edf91e
FormBook
3b7dc89103d8c49eea88bd302c37e6b9c1f1ae13bdd38c9ff9709568b9f56e3b
FormBook
42895dc552049d3cfd80ced83d8e2fbfc30adc3799e3748aa5f9e7df32373a58
FormBook
4d4f1920e857285f7bb60473910ffabdd1cbbbb9140be18af0f226a247159546
FormBook
9ebbeaf380d12e97972f57de2e052f1e043370d0be0bcd0deb3ebc5334cc68a2
FormBook
a34a05f4fba031be97dcc4bb04e0e45a75d1034cd2d32177b26a65de7a1306a0
FormBook
da6fd7aeb4a04410109f9f170589fe5262a1922a7dabc5b7b26e0af00dcdaba3
FormBook
f6557b3412ca78e87ff38632aaf24732b74da646678fd6ea5f01134bb498fd14
FormBook
+ 5'316 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook coreentity persistence rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-wvjebke8ga/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
rezer0
CoreEntity .NET Packer
Formbook
Malware Config
C2 Extraction:
http://www.regulars5.com/jac0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 32b18e9d2f1e8a4685c9ce531bcd0934febdc7592ff407b7054e5b79063fcb1b

FormBook

Executable exe a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3

(this sample)

  
Dropped by
MD5 8fab3cf30a39fdb9e83f5f9cc1702d9e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 32b18e9d2f1e8a4685c9ce531bcd0934febdc7592ff407b7054e5b79063fcb1b

Comments