MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf04f6a3d759b9ce48f004cc8667d1b30b97451bcef767932fa6cbdd96ce87e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	bf04f6a3d759b9ce48f004cc8667d1b30b97451bcef767932fa6cbdd96ce87e9
SHA3-384 hash:	f953539eed2dc1983ae3a8bc3924bb3519b090d17fd498445da61da5bcab336b65a5eb9514473792cabb6904f03ee812
SHA1 hash:	afe588e07569015c759a6898f6a6be96b33e35bc
MD5 hash:	80b38cb0e58c4ddc697c982b384f4ecb
humanhash:	blossom-whiskey-avocado-oven
File name:	Bank_details.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	398'848 bytes
First seen:	2020-06-10 07:37:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:Wskk9bTv68+6UoaZrlqoJFqFD2fSKUIBOcfwCelpcUc:ffTv68+loKltPYDIK
Threatray	5'984 similar samples on MalwareBazaar
TLSH	3B849D893250B69FC82BCDB6C9981C249B6074AB572BD343A45716EDAE0D7D7CF006E3
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: host34.axxesslocal.co.za
Sending IP: 154.0.167.222
From: applications@frontierguns.co.za
Subject: Re: Confirm account
Attachment: Payment_details.rar (contains "Bank_details.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

62

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-10 07:39:09 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x4cpni6xlg444shqatgimz6rwmfzori3z33wpezpu3f53fwoq7uq._file

Verdict:

malicious

Similar samples:

3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b

474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f

5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea

5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35

783c6835be34af1803983890ec14e1edb2ac7cef4442dff43cddb719d97236b2

9c3dd49a5833197c8ded3093df9fa770129e196acf76de5a54ae3ae3e9580cb8

ada94346c3ea30c0fce4f35e075d45ca022923d8afc8c93c4895b5b05591a857

de5eead1472726c48bab2f8551a161fea3ccd71ee11b4df8e89aa5b9874832a3

e3bdb2a06e43b09073cebd4f7a7fe633d45d1c6d149885f7b815cc591fe3b453

e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c

+ 5'974 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-z67z26wew6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Reads user/profile data of web browsers

Formbook Payload

ServiceHost packer

rezer0

Formbook

Malware Config

C2 Extraction:

http://www.tromagy.com/yx5/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 2e537083c299cacd7475bcca322a31b291bd7ca9f3c703b31622d0950ab2f05d

exe bf04f6a3d759b9ce48f004cc8667d1b30b97451bcef767932fa6cbdd96ce87e9

(this sample)

Dropped by

MD5 96c3060a0d607b4429d1818cfbcb8010

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 2e537083c299cacd7475bcca322a31b291bd7ca9f3c703b31622d0950ab2f05d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample