MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af7b3fa36f4f307300ab9a8dc34806cdcf9fce5fe857e9f1b2ddc8e6def9f518. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	af7b3fa36f4f307300ab9a8dc34806cdcf9fce5fe857e9f1b2ddc8e6def9f518
SHA3-384 hash:	3902ca000778df926503946ea3ba36ac31ddf0e1734236065d614386b77216f3558133bda196397930410963e0d77f04
SHA1 hash:	aae331569b1d3069d104e900180a114b04df18ee
MD5 hash:	17e6819bd7e677b338c2c0e71bdd2a49
humanhash:	comet-yankee-iowa-minnesota
File name:	PO7329HDDSF.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	395'264 bytes
First seen:	2020-05-14 11:05:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:4+/fl9ULsF9OPjk/wA+fisLpAIwEArEtQ7tbKB2PLz7PREy6XmmWw+4:Bfvgjk/3+a6ArBtRPL/XOyf4
Threatray	5'184 similar samples on MalwareBazaar
TLSH	98849E3036AF0769E5B69BF959A1A050C7B17E1A34ADD36DDD8070CF09E1F80CA85E27
Reporter	abuse_ch
Tags:	exe FormBook GMX

abuse_ch

Malspam distributing FormBook:

HELO: mout.gmx.com
Sending IP: 74.208.4.200
From: Jan Rapcewicz <vikavsingh@mail.com>
Subject: Re:U_R_G_ENT O_R-DER/ June/July Shipment
Attachment: PO7329HDDSF.exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-14 12:20:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

12

AV detection:

23 of 31 (74.19%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=v55t7i3pj4yhgafltkg4gsagzxhz7ts75bl6t4ns3xeonxxz6uma._file

Verdict:

malicious

Similar samples:

34c443f1958966963f6976bd37eefd299c17dad91759a54166e3056da8f0ad0e

45e3ddc537305927193e8dd44ef3e30012ec81a9eefe4107cfe6f78acd042bf7

58933d7bb0147da562d240bc3c9974ecaa552f35495a773345e1e7d158f39588

6790e06e433d6df6123631a9af6c9fc399b1811072284d2164671b063c640a33

7302711920290930c1668ecf6519c207fdafb56b7f6d894b1e3fd4e4b920ad81

7a755f37dfb67f9ee5f00330aeb01fc6262adc740d610549dbb2ec83e99a2618

8df71043e89088e65c08e918cdd0d0278e78ce39d3d22e04e0310c3d7ec50b28

942040aa151db7981d1d09c3cf264df1ada08805011a4720812016bd231048a7

b7a6133cc3253f40c306f93cd28219a26d1354e7e360be9014c46ee3f7f67053

fca6ebdeec0b760f2faeef8ba5edf6ab9d0141475b5f554ef1678aa4426baaac

+ 5'174 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook coreentity rat rezer0 spyware stealer trojan persistence

Link:

https://tria.ge/reports/201109-wppmgph9le/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

rezer0

CoreEntity .NET Packer

Formbook

Malware Config

C2 Extraction:

http://www.chilogae.com/mw9/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe af7b3fa36f4f307300ab9a8dc34806cdcf9fce5fe857e9f1b2ddc8e6def9f518

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample