MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd120b25b52e7720424139783c7b18f496b07f5bd8f3d4c52ea8b149318da5de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	cd120b25b52e7720424139783c7b18f496b07f5bd8f3d4c52ea8b149318da5de
SHA3-384 hash:	59dd9873e2adbb143bcb5471d4ec144299d32d0f5576e8c7ebaf10d8a2aee519e08baac894b9e99becf12575deb16cd1
SHA1 hash:	3504777631171093787fec15f7f3defc2ab9dbeb
MD5 hash:	853db46bada4ad475274b9250ac1dca2
humanhash:	eleven-utah-east-river
File name:	Sbin.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	427'008 bytes
First seen:	2020-06-08 19:03:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:bALbDBpZV9rncF6bRRoMFhfTQO1YT+e/BuG9cW:KHZV9s6bRbFBg
Threatray	5'315 similar samples on MalwareBazaar
TLSH	BA94AEDD766431EEC85BD472DEA82C78EA6064BB831F4107942316EE9E4D997CF240F2
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

From: Stacey Tsai <info@ombudsman.uz>
Subject: URGENT RFQ - FOR BDMC 2020 PROJECT REF :32ED121
Attachment: Quote.Gz (contains "Sbin.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VEF.13719.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-08 18:52:42 UTC

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zujawjnvfz3saqsbhf4dy6yy6slla7233dz5jrjovcyusmmnuxpa._file

Verdict:

malicious

Similar samples:

0a18c476254735864b8ab07e5223bb310207954cce179c4b773345d73247113f

3a65203b683e8f50436aed7a76531617e566c4363ca795885683479e4a3430b6

46d500e1f512e941b4c282d92908fb244439bede7a604381f761823d66f8ba2f

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

a658844624b4f1c5dd792ba527d7f04945aac9be928febf34813b3028deaf0da

b1809788389e6fbab24abc12b306b2cd4d88a59b983b5a469a63d923e572fa6b

b42bb3af52ae6b9fc8dd890fea86abad727db5ae0647217d2f5f2035bc5c2c7b

d571629d266c5354146cdfe698d79c88c33e598aa6c8d9a0587662c6b5421ed2

f62545db6d573b7145c40ce57f9d85eafaa9ffd95923178d29a02845def94b0c

feb3b84e0ea9e1c3522e9a3258f8578ffe461a43ce41920d6b41fa19520ac7a2

+ 5'305 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-ppgnzrds46/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Deletes itself

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

ServiceHost packer

rezer0

Formbook

Malware Config

C2 Extraction:

http://www.spatren.com/k0f/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz fa44535af48a60a61eb94db2d19b660f4f00307b98adea97411f21b367b7ac30

exe cd120b25b52e7720424139783c7b18f496b07f5bd8f3d4c52ea8b149318da5de

(this sample)

Dropped by

MD5 c01d6bbf148bbd395e03781721a96ff9

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 fa44535af48a60a61eb94db2d19b660f4f00307b98adea97411f21b367b7ac30

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample