MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b7a6133cc3253f40c306f93cd28219a26d1354e7e360be9014c46ee3f7f67053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
FormBook
Vendor detections: 5
| SHA256 hash: | b7a6133cc3253f40c306f93cd28219a26d1354e7e360be9014c46ee3f7f67053 |
|---|---|
| SHA3-384 hash: | 40e5125cbd793c8ca0e961bfc24495e6389c0edd56cc41879a6fc017e7dbb4bcfbe37b19087767aa81ac921a1562c9f2 |
| SHA1 hash: | 599376ab7a27630a564dd1b959bd1a11446dc701 |
| MD5 hash: | 0b06be295761b41d1831caf85411e48f |
| humanhash: | oregon-venus-hydrogen-magazine |
| File name: | P.O. # 27000446.exe |
| Download: | download sample |
| Signature | FormBook |
| File size: | 646'544 bytes |
| First seen: | 2020-05-04 08:56:18 UTC |
| Last seen: | 2020-05-04 09:55:57 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5ca45b17f4fc6e1f91fb2d09369768d3 (4 x FormBook) |
| ssdeep | 12288:ch+Uhw7crzFyRA3DyzY7Y2uZK8kkrj6i7Tm6nDPrmCfJmc:DbcrzFmAaZRf6+TJmCfoc |
| Threatray | 5'084 similar samples on MalwareBazaar |
| TLSH | E5D40161700E02EBD21C45F00799EF203EFD9D262055D67EB9A6FE4E9C336896CB9168 |
| Reporter |  abuse_ch |
| Tags: | exe FormBook |
Code Signing Certificate
| Organisation: | VeriSign Time Stamping Services Signer - G2 |
|---|---|
| Issuer: | VeriSign Time Stamping Services CA |
| Algorithm: | sha1WithRSAEncryption |
| Valid from: | Jun 15 00:00:00 2007 GMT |
| Valid to: | Jun 14 23:59:59 2012 GMT |
| Serial number: | 3825D7FAF861AF9EF490E726B5D65AD5 |
| Intelligence: | 44 malware samples on MalwareBazaar are signed with this code signing certificate |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | 8815DFF787F21FA8106760CB89C5B4493F4BD45E2CE801D2A4FE1F61DEE0C039 |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
abuse_ch
Malspam distributing FormBook:HELO: regular1.263xmail.com
Sending IP: 211.150.70.196
From: admin <admin@yingshitech.com>
Subject: ***RE:urgent Order*********
Attachment: P.O. 27000446.zip (contains "P.O. # 27000446.exe")
Intelligence
File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Gathering data
Threat name:
Win32.Trojan.Formbook
Status:
Malicious
First seen:
2020-05-04 01:22:08 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
19 of 31 (61.29%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 5'074 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.chilogae.com/mw9/
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.