MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2bd939267fd297467b51564f35292ef7753329e2ac5ca000b9b1c1fcbf90d1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2bd939267fd297467b51564f35292ef7753329e2ac5ca000b9b1c1fcbf90d1a
SHA3-384 hash: 8c3ef11190006da877081c8b4a0c477be76ee82c25ea2a3e63d74746a1ed768effb803cbbe446f3951bff0081d15f0e1
SHA1 hash: 58ebd136350ae4b90e5f8647e13ff1cf88412c1b
MD5 hash: 002c9c9f729986e4349a21e076f087a5
humanhash: river-magazine-pasta-queen
File name:ABB tender documents.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:342'016 bytes
First seen:2020-06-24 05:38:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:9NVEddhd9seMXY1TUFMEXBDvAD8ePOlknmp6P6RoF+Azh8gnoecPWrMbfQ1wK:9EMXQTUFMEXZHliu6P6S+uu+cPWQbO
Threatray 5'375 similar samples on MalwareBazaar
TLSH 8774E00B3B9CE607C6FD09F694C36B0443B979A6A661F7C91CC866EA14D3BE119113CB
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: 162-241-214-229.unifiedlayer.com
Sending IP: 162.241.214.229
From: Chen Liang <chenliang@new.abb.com>
Reply-To: Chen Liang <chenliang@new.abb.com>
Subject: [ABB (Hongkong) Ltd] - 要求报价, Order no: 77923148
Attachment: Request for quotation Order no 77923148.rar (contains "ABB tender documents.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13411/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c2bd939267fd297467b51564f35292ef7753329e2ac5ca000b9b1c1fcbf90d1a/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 05:40:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yk6zheth7uuxiz5vcvspguus553vgmu6flc4uaaltmob7s7zbuna._file
Verdict:
malicious
Similar samples:
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
FormBook
327254ffbd59cf2ac7038d509ace922665282b3d0cdc2eed9751d7bfe2b38f0f
FormBook
45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f
FormBook
6740dedb2240b867fd09e2b5fe3a3c1e1a76c5067c9b7e9e77ef709a48f906ee
FormBook
7a475538957191436090c02a6ad2daa2ea4e60aa82c11f514892d5541a3e79d8
FormBook
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
aac570b4af97093e3d10f81c8754d3523b4d76fd894333a8e20deb33a4247ab5
FormBook
cfc1cfcb5119cb196b34e5905578d55e2afd871f2b93f820637e6386168892c5
FormBook
e5bb61ce7666ce9c2fd0245cb13dbb8368d894a767041677c0749438154433fd
FormBook
+ 5'365 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200624-c1szpa86b6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar d462c19dd7d0720556ed098107fb85635e5c45bd19587bb5a9d6a6bf9b305114

FormBook

Executable exe c2bd939267fd297467b51564f35292ef7753329e2ac5ca000b9b1c1fcbf90d1a

(this sample)

  
Dropped by
MD5 c769cf59ebdbba0edcce3ed6a86e7929
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13411/
  
Dropped by
SHA256 d462c19dd7d0720556ed098107fb85635e5c45bd19587bb5a9d6a6bf9b305114

Comments