MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b36d0b4952457c89f455f2333a815b0a1d7530a108bf43ea0ef1a7c17fe2774b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b36d0b4952457c89f455f2333a815b0a1d7530a108bf43ea0ef1a7c17fe2774b
SHA3-384 hash: e1a6586af9c88d0ddceae9d7edf915de8cdd07f8c360d3bcdae9820de322e4ba529ed808f4a95305cb6099f70b4a3f21
SHA1 hash: 4c0fe63fe5090ed8ac71f3af10dfc84c9b8b0f5e
MD5 hash: 48884ebe9169015be3e42f68ad14d7be
humanhash: low-mike-uniform-east
File name:Purchase Order 77809 for acknowledgment.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:288'256 bytes
First seen:2020-05-13 11:59:00 UTC
Last seen:2020-05-13 12:51:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:oO9aBo6XfvCXP9xj5pw61TNGzUpWAlNvm5y34WRcEN:oO9aBo6XfvQXjk4G+7rvm5y34WRcEN
Threatray 5'109 similar samples on MalwareBazaar
TLSH C3545B8D762076DFC86BD8729EA81C64EA5074BB831B9207E02315ED9E0D99BCF151F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: outriger.biz
Sending IP: 156.96.59.92
From: Kim Sung Hae<sales@outriger.biz>
Reply-To: aoer.wzaoer@gmail.com
Subject: Re: Purchase Order 77809 for acknowledgment
Attachment: Purchase Order 77809 for acknowledgment.zip (contains "Purchase Order 77809 for acknowledgment.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28559.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 12:35:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnwqwsksiv6it5cv6iztvak3bioxkmfbbc7uh2qo6gt4c77co5fq._file
Verdict:
malicious
Similar samples:
1158faac2f05071553e63e40809ecdd0450934aa8e372728dcabf9cedbbb5ffa
FormBook
163065b27e36ce19e815d862a46534b6b7a048be46562ae48c3811fb35fa3338
FormBook
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
41b0a4eba05ad382e109d412680e4a5a636cbc7dc6928c5de923d689f070ece4
FormBook
52e01cac4f5319a7d1177aae77861b4ad8f77b26581d089e948344d0e608b80b
FormBook
95fd3400d70565e8bd28da81374df780073cd2762b922059b26150a560c6aba0
FormBook
99d9cdc246bf28881b009ae71b1611c83397b23b5adf5b3746f51a5a2903ec24
FormBook
a119b8bd8e1427830ac76a7649318c0b2e9deb263b6c5e4ea0290c558d159b13
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
eded02bf0afea18ebbcaa7682ad7f3d1215b064cd2a3185f230b87195ef85218
FormBook
+ 5'099 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-ypwmnz614x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
rezer0
Formbook
Malware Config
C2 Extraction:
http://www.slacktracks.info/y22/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip dcb50eb4e606d1db5f3438f67dd8f02a0113eda8319e602bbb7dbaec55a28f3c

FormBook

Executable exe b36d0b4952457c89f455f2333a815b0a1d7530a108bf43ea0ef1a7c17fe2774b

(this sample)

  
Dropped by
MD5 0fb952bd7d74a69ac56acdc0fb4c9b16
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dcb50eb4e606d1db5f3438f67dd8f02a0113eda8319e602bbb7dbaec55a28f3c

Comments