MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c80e22cd1c0ce9d113f9756e8b31e79d0609aca78aded1b18e2f73bf0b2a8333. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c80e22cd1c0ce9d113f9756e8b31e79d0609aca78aded1b18e2f73bf0b2a8333
SHA3-384 hash: b84976cbc1adea68a15c2bc8207bd69828036c4777b489baed60dd4220418e67ba7abe2430a77bf8a516e19668b076bf
SHA1 hash: a9fdd91c1c3ed8b773590ba6ea530cda091c82f4
MD5 hash: 6f669002764496b18dff16d999328100
humanhash: alabama-delaware-december-yankee
File name:MT103Copy_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:334'336 bytes
First seen:2020-06-08 06:19:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:QUqABJWDrccx+OwUjNOiynVoAFAmUmQjfbwxiWsOBmLv8:QUzOZOteLjjqoHLv8
Threatray 4'846 similar samples on MalwareBazaar
TLSH 12640252B3F88736E13E47FE61A121005331661B7B77FB1E0CD2B2C65A727618A50E5B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: box.mytek-cg.info
Sending IP: 192.236.194.98
From: account@mytek-cg.info
Subject: Re: Paid Copies of Invoices TAS8459
Attachment: MT103Copy_pdf.zip (contains "MT103Copy_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.67676.20105.16088.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-07 22:28:48 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zahcfti4btu5ce7zovxiwmphtudatlfhrlpndmmof5z36czkqmzq._file
Verdict:
malicious
Similar samples:
1fa61bb029466f4fe3ed9385994dcaed8b25715931e460f9b4db88ec155ec6a3
FormBook
330cc7a94a8d40b4588313605d103e425e9a2530bf19e32b6cd61a786a6b8c04
FormBook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
FormBook
6a277e9e2f6049fb8009d2f139a217b53da1448d7ca5c4da751336bd00d44ae1
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
FormBook
a4fb872505b79e9ecf7b8f1a2c4081e2e31edee3b4c5f30748fdfb0973ae21c6
FormBook
c46f6d72a258354c5267436ea0db9cd3f12cc1595a0d9072d904b0b15731f092
FormBook
f1c80232eaed26af259c818427b444f12057b9329804da8ded13ec9fd20d3413
FormBook
f80c8e9d0e8ed0ffa6b7d8620a0eb890deb7c9dc84dca3198b3d2625bf5d1099
FormBook
+ 4'836 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-e7vegdvern/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mafov.com/x54/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip d5c2b0b6a9b066fc5f15ab26e4ab2d584692c5769eb2f77297757a89373c4559

FormBook

Executable exe c80e22cd1c0ce9d113f9756e8b31e79d0609aca78aded1b18e2f73bf0b2a8333

(this sample)

  
Dropped by
MD5 fe9175b5d4c95d61372be11d5ab78b31
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d5c2b0b6a9b066fc5f15ab26e4ab2d584692c5769eb2f77297757a89373c4559

Comments