MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ada94346c3ea30c0fce4f35e075d45ca022923d8afc8c93c4895b5b05591a857. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ada94346c3ea30c0fce4f35e075d45ca022923d8afc8c93c4895b5b05591a857
SHA3-384 hash: 53027438912b02555fb4d2e63d55e9b1d8feaac134ee5cb21058b7509ab8a52181e9e6ae59269892b6338e63cca95398
SHA1 hash: d0b623030b3ff1ce22633014b1fa09326de9197f
MD5 hash: 277364dc8a5d39bdfcfe9a1eeb37de29
humanhash: table-hydrogen-fanta-twenty
File name:new_bank_details.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:385'024 bytes
First seen:2020-06-15 14:03:53 UTC
Last seen:2020-06-15 15:26:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:nRCBVmAAAx03aOXaEABQuYDbVVU39Uuokh45oap2GhNVmL:nRCBVmAAAya8afiJbVVq+x2iNV
Threatray 5'255 similar samples on MalwareBazaar
TLSH E684C38C5C9AC0EACE350EB846CE95FA46993FF38F2A887FB58447C7C12174DA50E525
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.cavallaro.com.py
Sending IP: 181.40.114.234
From: Cavallaro Bolivia <cavallaro@cavallaro.com.bo>
Subject: Re: new bank account
Attachment: new_bank.rar (contains "new_bank_details.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10498/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.54090.22490.26154.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 05:14:33 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwuugrwd5iymb7he6npaoxkfzibcsi6yv7emspcisw23avmrvblq._file
Verdict:
malicious
Similar samples:
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
783c6835be34af1803983890ec14e1edb2ac7cef4442dff43cddb719d97236b2
FormBook
8dd3e9f82cb60189361dc9dd1b4423810bdea1ef095db0362513817b87ce9c2d
FormBook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
FormBook
9c3dd49a5833197c8ded3093df9fa770129e196acf76de5a54ae3ae3e9580cb8
FormBook
bf04f6a3d759b9ce48f004cc8667d1b30b97451bcef767932fa6cbdd96ce87e9
FormBook
de5eead1472726c48bab2f8551a161fea3ccd71ee11b4df8e89aa5b9874832a3
FormBook
e3bdb2a06e43b09073cebd4f7a7fe633d45d1c6d149885f7b815cc591fe3b453
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
e98090d4d1ad51575355593c7bad1c5481d377ea52c4d726ae5b8ce6b09b4f10
FormBook
+ 5'245 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-yew2s5y75x/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
rezer0
Formbook
Malware Config
C2 Extraction:
http://www.tromagy.com/yx5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 3d6815006cd56e99b13941cba040932676800b4564c142b0571802947716a465

FormBook

Executable exe ada94346c3ea30c0fce4f35e075d45ca022923d8afc8c93c4895b5b05591a857

(this sample)

  
Dropped by
MD5 1965046d93de2fbe18ca24e04d194594
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3d6815006cd56e99b13941cba040932676800b4564c142b0571802947716a465
Cape
Cape
https://www.capesandbox.com/analysis/10498/

Comments