MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b43786f175549f7d8aba0d0213181d10a01a54ab6ac8256446b8f39de6022986. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b43786f175549f7d8aba0d0213181d10a01a54ab6ac8256446b8f39de6022986
SHA3-384 hash: d6848d4cb2228c464f2be89ec35bd47f8e40fd3b8527f38431dfcb6079d538f514107ced5b4ef3a182238bf325600d4a
SHA1 hash: 577284fa4bec6e93636d7686d95c4988879a9e6f
MD5 hash: 328208df9ccec874cd6ae223c04db474
humanhash: earth-echo-oranges-tennessee
File name:STATEMENT OF ACCOUNT.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:824'832 bytes
First seen:2020-07-08 06:31:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:UaCdQ5m+DmpvPaWv/y4IDiLE4m+AVPxhKlXwsHZ/WNNxyhKlXwsHZ/WNNxLim:xpmpdva4IDiLFAvslhtWYslhtWom
Threatray 5'804 similar samples on MalwareBazaar
TLSH 2205D131B7A69A02C77E0F31D8A342005E76A9976F06F78F5ECC25AD4E9B7551A03B03
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dhl.com
Sending IP: 37.49.224.208
From: DHL Express Service<no-reply@dhl.com>
Subject: RE: REMINDER: DHL SOA PAYMENT victim-domain
Attachment: STATEMENT OF ACCOUNT.zip (contains "STATEMENT OF ACCOUNT.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22840/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b43786f175549f7d8aba0d0213181d10a01a54ab6ac8256446b8f39de6022986/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 06:33:04 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wq3yn4lvkspx3cv2bubbgga5ccqbuvflnleckzcgxdzz3zqcfgda._file
Verdict:
malicious
Similar samples:
0edc17effc79112df8aadfd138cc3db51ecb97c7ed54668f1b17a216f45eb5ab
FormBook
1e13e14b2d390dc75cc450654d0201bb43366bc2e4a028e0f5566630fea12630
FormBook
37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728
FormBook
4a21cad0d588267ebde8f8112e9d85bf355c77434beda6436cd9403a0a787c0d
FormBook
4d5c7e3ebcae0ff2419bc76ff30b7681cf9a11751834ee0dcc5868a48f9c30b3
FormBook
8100b701682e9fb7c4165631216913054e2e201f4cd63274ff1151ade42098c9
FormBook
95e40490a7ab8bc996d2a8a42233563ed067317e7b54a4083808a0d77ee2a5f5
FormBook
b8fb24fed506f2b66406af4f29a8a0522564d337d9f374c3936b369e10a69437
FormBook
cc296ddd36ee729fbdea514a26f387b2b5e88dc6bf3c61c68fb27572703acbb6
FormBook
d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e
FormBook
+ 5'794 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200708-egqdf26dzs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
System policy modification
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

aa31f74f6113993d1b82a4c68b367503

FormBook

Executable exe b43786f175549f7d8aba0d0213181d10a01a54ab6ac8256446b8f39de6022986

(this sample)

  
Dropped by
MD5 aa31f74f6113993d1b82a4c68b367503
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22840/

Comments