MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca6c6262134182f4bc6367855eaf6a390bf9f3a1b95e7238f3480dfe8baf50db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca6c6262134182f4bc6367855eaf6a390bf9f3a1b95e7238f3480dfe8baf50db
SHA3-384 hash: ee08c7a6caa70a7dfdc6035839ec91c8158ed4c6abf6946391126fcda3ed9e48d7b28b0ccab21ec0c61aa03d8c16ae72
SHA1 hash: 5540c32cefc6e9949fc51dc89d21a86489eb3f13
MD5 hash: 8de3855e2fada9e604e38e377cc1638a
humanhash: mango-november-august-uniform
File name:PURCHASE ORDER.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:328'192 bytes
First seen:2020-05-19 06:12:05 UTC
Last seen:2020-05-19 07:13:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:rjs1QEGBrlVgJFAJT8ZTg/6W9g7WKvV4FsA720whBeC:6QddgJMss/zm7WKaR74KC
Threatray 5'123 similar samples on MalwareBazaar
TLSH 2E64E10133E85F29D5BEA7F515B0910093767A6B7972E35C9FE4A0CD2A33F404A22B67
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Kelven Riley <K.riley@qualitech-solutions.cam>
Subject: RE:RE: PURCHASE ORDER
Attachment: PURCHASE ORDER.rar (contains "PURCHASE ORDER.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.47097.8141.32594.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 07:35:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 31 (64.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjwgeyqtigbpjpddm6cv5l3khef7t45bxfpheohtjag75c5pkdnq._file
Verdict:
malicious
Similar samples:
38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249
FormBook
72e42f1672249fbd4db20c17d5e29fba5838ef08cf0f6964d84ffc434ea46f27
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
9047151fe524a34dffeacd46eba66b4b0a87beb7f3e513ba8e5c6ca367ccc505
FormBook
accddeb954844341b87c006344f21c50757cd228d2f071d39e8707209b1a49f9
FormBook
b801afb5529bee671ee0219b95450122f641260b372695c89d7bdc5c2c227b65
FormBook
b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c
FormBook
d34f87c6a070f4f73344156c16be7040f2932053aea2868e98b0fa4297113835
FormBook
e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93
FormBook
fa355139bfaa9fcf4324154194f2cb280899be4863fd278c7b06440d84a14d39
FormBook
+ 5'113 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-vsgqjvkvh6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/20w/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar b2942b8284220620b69f1f54dd063309ff194befb3bb0d48ec4aa802ce29f40a

FormBook

Executable exe ca6c6262134182f4bc6367855eaf6a390bf9f3a1b95e7238f3480dfe8baf50db

(this sample)

  
Dropped by
MD5 a43c13e34c5f481d07efb8a69cee0f35
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b2942b8284220620b69f1f54dd063309ff194befb3bb0d48ec4aa802ce29f40a

Comments