MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfce53d1db27bf03c7c8afe4a7841c5c18237ddddbc4e5af8595e1835ab7f5cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	cfce53d1db27bf03c7c8afe4a7841c5c18237ddddbc4e5af8595e1835ab7f5cc
SHA3-384 hash:	3764458bba76927d1bbbea09fcd0d8a504d3f2029112f78cfcf447a1c8d7bf00b4d6a78e8626b7051a760753a7fd408c
SHA1 hash:	1058f38479e42324090794dfb769cd0484321207
MD5 hash:	8010a4938d9170d1427f9825b2e48e64
humanhash:	seventeen-coffee-solar-oranges
File name:	attached template.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	330'752 bytes
First seen:	2020-05-06 10:47:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:JIqwYd7/x4zYaGX2Qf9mc9k0VF+cX7GqJT08KeEQdbNhmYyUq:JIqvd7/SzYaGX2Qf9mo5fXLJo5FQtNh5
Threatray	5'090 similar samples on MalwareBazaar
TLSH	3B6401ECB750B19FC863C4779DA86D64FBA0B07B931F5203A01352AC9A8D697DF144E2
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: cathay-food.co
Sending IP: 111.90.140.123
From: Gabriella <gabriella@cathay-food.co>
Subject: Request for quotation
Attachment: attached template.rar (contains "attached template.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-06 05:20:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

5

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z7hfhuo3e67qhr6iv7skpba4lqmcg7o53pcoll4fsxqygwvx6xga._file

Verdict:

malicious

Label(s):

avemaria

Similar samples:

0098bf2ef8230d9bb30b451868272ffb271fe63a8c248bfc9ce569991c19f279

112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818

1940c82d728454e9a43d2efc7dd0033fcbf58880b32d227830e54a43b885ca3c

1c22bad3a6eb408ec1f4d6ef50b04e2294a77979abc411f9dbb752e2b495345b

3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0

4b83753be005d3668592559d6fe011fda590558f730140f6c303714ac8fe0d93

8ec5d666ff1af04113f22c80294db956bedff4123e59ee925c5583c47b7794ec

9ba9dbccef86d6630e4db6c7538eb4043232c7f234c1377eacdaa6543d2b8af3

f646b35153e14b1c060f94dfa4e3467165946dd9720b8ed63c2e8b144f132f22

fc4b84d2226bcb153d0f93007ccfe4277efad09572f0ea2396a7700e93cfebcf

+ 5'080 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-al172ytzv6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.doverax.com/c2h/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 911455c9b91cfe1de2d67037a4df7f09f4354e82de08fcfc1bd0bfa275c41dda

exe cfce53d1db27bf03c7c8afe4a7841c5c18237ddddbc4e5af8595e1835ab7f5cc

(this sample)

Dropped by

MD5 dec3794ee7253595782a04ca7d1cca0a

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 911455c9b91cfe1de2d67037a4df7f09f4354e82de08fcfc1bd0bfa275c41dda

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample