MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adf4b8a00eec7af49d20ac1939ca9b5c078e8d119c7e6f1b708c5e39df3acf71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adf4b8a00eec7af49d20ac1939ca9b5c078e8d119c7e6f1b708c5e39df3acf71
SHA3-384 hash: 3b35ad6db7953ada91d7875cce5e76807c7d2cc2db08845bbdc5d270d7981e0517f388048f7c47202a51d84c03797054
SHA1 hash: 9736f277710815dafe27857805e0c7af97adfaeb
MD5 hash: 04c8a35797fa8d2e1e3ed5f65f128d04
humanhash: crazy-eighteen-march-saturn
File name:Total GP Employment Offer.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:317'952 bytes
First seen:2020-06-14 10:36:00 UTC
Last seen:2020-06-14 11:42:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:d2irdS0Hsu1Ptr2yvU1OFBvFn5FzD6rZ2WCsd15WaiKDks:WIPr2mU1OFBvFn3PvWF18vH
Threatray 5'105 similar samples on MalwareBazaar
TLSH 3064F10873ACAF26DAFA47F98AE2284413B495775521F74E5EC431EE1E33F858602E17
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: smtpauth.net4india.com
Sending IP: 202.71.131.66
From: Total GP HR Department<hr@totalgp.com>
Subject: Total GP Employment Offer
Attachment: Total GP Employment Offer.zip (contains "Total GP Employment Offer.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10165/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Agent.EFJ.7304.11797.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-06-14 01:21:22 UTC
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vx2lriao5r5pjhjavqmttsu3lqdy5dirtr7g6g3qrrpdtxz2z5yq._file
Verdict:
malicious
Similar samples:
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
+ 5'095 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-851jtzxp82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
rezer0
Formbook
Malware Config
C2 Extraction:
http://www.vinoblay.com/lgm/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 3e82cb25670dd3d5df50f74cdf12c6166ac1ef789f0405048c97c3552728d88d

FormBook

Executable exe adf4b8a00eec7af49d20ac1939ca9b5c078e8d119c7e6f1b708c5e39df3acf71

(this sample)

  
Dropped by
MD5 9a3776baf1ccbc92a6cae7e741ad2fa0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3e82cb25670dd3d5df50f74cdf12c6166ac1ef789f0405048c97c3552728d88d
Cape
Cape
https://www.capesandbox.com/analysis/10165/

Comments