MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1809788389e6fbab24abc12b306b2cd4d88a59b983b5a469a63d923e572fa6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b1809788389e6fbab24abc12b306b2cd4d88a59b983b5a469a63d923e572fa6b
SHA3-384 hash:	b70406847647ad5d04ce3036c6e97b8813cb7bb17a1f6feec9ab296a50fa5c78a25de6181bfe2e0bc1247018868316e0
SHA1 hash:	e76760862797d31eb2292bc3b6c44e6201b7f5ca
MD5 hash:	ed5fc713b4d77058607a852ff35de858
humanhash:	high-nineteen-fillet-angel
File name:	89mnsttNIvumJeY.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	372'736 bytes
First seen:	2020-06-18 16:43:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	6144:UcQVYSKtSEgnkp5KWbPe0LE+22FX6ADfBMfKXGMsSJh53zzHCuGYkr2GhN:UczSZEgn05KWb7E+2qKAqi8gh5jGZf2I
Threatray	5'376 similar samples on MalwareBazaar
TLSH	AB84127C6AA4D766E69D93B5AAE51721C3F290061E03E32E8B90B1D11FB379043613F7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: fzmt.ru
Sending IP: 107.174.142.107
From: Yerko Quiroga<fzmt@fzmt.ru>
Subject: REQUEST FOR QUOTION PANGUILD : REF PAGC200558
Attachment: REQUEST FOR QUOTE.Gz (contains "89mnsttNIvumJeY.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

88

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/19830/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.fc.13682.UNOFFICIAL

Gathering data

Gathering data

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wgajpcbytzx3vmskxqjlgbvszvgyrjm3ta5vuru2mpmshzls7jvq._file

Verdict:

malicious

Similar samples:

0a18c476254735864b8ab07e5223bb310207954cce179c4b773345d73247113f

3a65203b683e8f50436aed7a76531617e566c4363ca795885683479e4a3430b6

46d500e1f512e941b4c282d92908fb244439bede7a604381f761823d66f8ba2f

4bc2794576ebc0396a825e7b5f5fa26303e79972e7a2d68ded5cd68729288107

a658844624b4f1c5dd792ba527d7f04945aac9be928febf34813b3028deaf0da

b42bb3af52ae6b9fc8dd890fea86abad727db5ae0647217d2f5f2035bc5c2c7b

cd120b25b52e7720424139783c7b18f496b07f5bd8f3d4c52ea8b149318da5de

d571629d266c5354146cdfe698d79c88c33e598aa6c8d9a0587662c6b5421ed2

f62545db6d573b7145c40ce57f9d85eafaa9ffd95923178d29a02845def94b0c

feb3b84e0ea9e1c3522e9a3258f8578ffe461a43ce41920d6b41fa19520ac7a2

+ 5'366 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

persistence spyware trojan stealer family:formbook

Link:

https://tria.ge/reports/200624-shsazecvzn/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

System policy modification

Drops file in Program Files directory

Suspicious use of SetThreadContext

Deletes itself

Reads user/profile data of web browsers

Adds Run entry to policy start application

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fe3054a08a3e54c7ee1214825c0bfd69

exe b1809788389e6fbab24abc12b306b2cd4d88a59b983b5a469a63d923e572fa6b

(this sample)

Dropped by

MD5 fe3054a08a3e54c7ee1214825c0bfd69

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/19830/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample