MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b59687559bfc1f043f7f1c3c42651b51450836ad4973fbda39d57ca0ec157c65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	b59687559bfc1f043f7f1c3c42651b51450836ad4973fbda39d57ca0ec157c65
SHA3-384 hash:	8cc7f8355a8ff98cb0da4450fdbfce04ffbb68be863407a35c012be3bbea6e579020840a5eccc781f0191476a98ad105
SHA1 hash:	c5ac0e341ee1a3f5720b8b44075a0a7b0c6f57d3
MD5 hash:	ac238ec3b908e0e005e556e1df634464
humanhash:	mississippi-august-sodium-spaghetti
File name:	order _pdf.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	708'096 bytes
First seen:	2020-05-26 13:24:31 UTC
Last seen:	2020-05-26 14:21:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ab7c6090caa74612589a46d0fcbec31e (7 x AgentTesla, 3 x Loki, 2 x FormBook)
ssdeep	12288:NoS07MyfiVaPjuU4JRVw2gE3swQkwYqTx25jp/ntKsv77:OVrfluUWVw2x2Y80jpV7
Threatray	5'330 similar samples on MalwareBazaar
TLSH	6DE48C2EEFA14433C062167D9C1B56B89C2ABF5129385F462BE4DC4CBE39741F43B296
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: capriolo.com
Sending IP: 154.118.112.79
From: Purchase <sales7.fac@163.com>
Subject: RE: Re: Re: Order
Attachment: order _pdf.zip (contains "order _pdf.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-26 13:36:31 UTC

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

295c508d5a38496e158e8ae8795196bfa24a12d1aabc2e528a133b41e6723ed2

2f7909f2f9c886007630cef749f408d4d7be271182dadf6bb0ff6924ad65703f

49f8b73df45213da0f86e871fbd8d231cdfcc30e7ef8041d38ef062884e47b2e

654e546d40f7d74528c82d0a3feaf917a8a173e07e2a0ad9d5f29fb8b961bc67

72182475544d3b228d94d5e9185b7162fe647201b2302c214a00d36a131c2f68

75549fad0671d97245ff745daa90f72d93b9518650b9a9b3cb174151ae0e335a

8359aef736bf6288512a9d20ed65d3c2981c55ef52421e47ccc287316fbcf7ca

969f79907e45ccfccd7ea0072ae993c93b963d0208a971ef24e7b07060300de1

be4207b3c6def716919d01b666d9a78243730825f095b30edca4dfdae1f9096f

ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645

+ 5'320 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan persistence

Link:

https://tria.ge/reports/201109-3fj92xwec6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Deletes itself

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.chilogae.com/k2w/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 64f672fd1d1889f9f6b595fd91cff3224db0c9e564b7c202c66649b6f99856f1

exe b59687559bfc1f043f7f1c3c42651b51450836ad4973fbda39d57ca0ec157c65

(this sample)

Dropped by

MD5 88c2a542cd4b14c3d4e4d444acf50e00

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 64f672fd1d1889f9f6b595fd91cff3224db0c9e564b7c202c66649b6f99856f1

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample