MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42
SHA3-384 hash: d1f4268a6eb7cfe69c8f8bd5b2acadbdda597aed66610bd55928f1c49597b5577145afafdb2ffbd58f86bbf91691c5e1
SHA1 hash: fdf5963190fcb5e95bd72a321974c76bf3c3097b
MD5 hash: 6b5336f1d7c2b76f1ef01955efb37319
humanhash: zulu-mobile-timing-may
File name:Remittance Advice Copy.pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:417'280 bytes
First seen:2020-07-07 09:48:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'456 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:nZvu+u0ZnCDBFBavp5oJy6FfwmutmUh5RZM:e0AbByDBofwvmUh1
Threatray 5'250 similar samples on MalwareBazaar
TLSH 1994E02563D99729E5BD0B3C9761621003B6B1373547F32C9FC9A5A82C737E18B12AE3
Reporter abuse_ch
Tags:exe FormBook HSBC


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hwsrv-742342.hostwindsdns.com
Sending IP: 192.236.161.86
From: HSBC Advising Service <advising.service.115673234.809934.2662785935@mail.hsbcnet.hsbc.com>
Subject: Payment Advice - Advice Ref:[GLV351303116] / ACH credits / Customer Ref:[KJJ11200626115001] / Second Party Ref:[U5990937435]
Attachment: Remittance Advice Copy.img (contains "Remittance Advice Copy.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22178/
Detection(s):
SecuriteInfo.com.FileRepMalware.12803.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Forced shutdown of a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 09:50:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxmbwpknbx4r2kdk4dz5w7iwn3gqcpumkpiwo67fwfe63oorlvba._file
Verdict:
malicious
Similar samples:
5c6d005bb7bd065341b432bf6a27117c76115e18ae10fd21906759d05d05f733
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
7abf73f6d63535a3770a681960124ee32f77d0305cfb82e80da13301829d5b25
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
eaf38856854d7a07f62a61ae80205ca9561eb93449224f4903209ec397b9bd4a
FormBook
+ 5'240 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200707-83w95cgm9e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img ef81571260baec7c25465b0ec569e4856c4a2ae54295244fbb2b3a2147063b82

FormBook

Executable exe a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42

(this sample)

  
Dropped by
MD5 02f49a1fd5e5c5638f3505a442f473a4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22178/
  
Dropped by
SHA256 ef81571260baec7c25465b0ec569e4856c4a2ae54295244fbb2b3a2147063b82

Comments