MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec
SHA3-384 hash: d36a68d68a5f520d8e237de348aa714754054d3d70a4db237ef11641b38feee2afcaabeb7bc7dc27ea91ef4fe61d90df
SHA1 hash: f8468c9953686b0b77dfb6949866c68b628ce73d
MD5 hash: 50282da5093e3086fcde377c5e8e28bd
humanhash: undress-oscar-delta-angel
File name:r7a3hqws.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:270'336 bytes
First seen:2020-04-30 11:13:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:G/HhXZxNiTGAATtFH0zpVVDkYx7pvX9GD:iXZykBFHApVVLFdXsD
Threatray 5'098 similar samples on MalwareBazaar
TLSH BB44F3BD1CFD5237D8B8DAB6CBC6A4A7F840E16722346C3568C38A694746D8331C726D
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: hsgeneral.com
Sending IP: 185.62.189.231
From: Christopher Sales Manager<info@hsgeneral.com>
Subject: AW: SC_PO3674638912400
Attachment: SC_PO3674638912400.docm

FormBook payload URL:
https://linx.li/s/r7a3hqws.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJNW.5964.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 11:27:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 30 (86.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zje2unrgeftzsrh7fo24gi63wzhpl4bwjx7rxzqwrqdfpfrcs3wa._file
Verdict:
malicious
Similar samples:
035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b
FormBook
3090f005fcc23beec6754643f4518fc4180d5add99a42bd376e45fba69519491
FormBook
52b517b0e9be1efed3349ff5b7e7e4a392881437d7bc9ccd7b94bbc23e28a2f9
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
654e546d40f7d74528c82d0a3feaf917a8a173e07e2a0ad9d5f29fb8b961bc67
FormBook
ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
baf23acf5e1b9e4bd094eac1e69d2971ad2259d407f6572e43598cfcdb5806d8
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 5'088 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Word file docm baf23acf5e1b9e4bd094eac1e69d2971ad2259d407f6572e43598cfcdb5806d8

FormBook

Executable exe ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/354693/
  
Dropped by
MD5 99f42c217f3b1a8eba49e518adc4cb3e
  
Dropped by
SHA256 baf23acf5e1b9e4bd094eac1e69d2971ad2259d407f6572e43598cfcdb5806d8
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments