MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0604fe76ff35e2311825f1822171208bd472c764dfbdbf45e20fad47f6a4472. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	d0604fe76ff35e2311825f1822171208bd472c764dfbdbf45e20fad47f6a4472
SHA3-384 hash:	77f0d370e13bb9f05b3aa3245ae9efdd12d0c6e7bab58fdd1b5411d3af87c255f58260bea6862aec1c266096f224068e
SHA1 hash:	8743bccc3cd8c5732470d831f90e614764068171
MD5 hash:	d94d1332d48398914da9f4b343c528e2
humanhash:	wolfram-xray-echo-kitten
File name:	Invoice For H sbc Payment Instruction.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	348'160 bytes
First seen:	2020-07-15 14:46:46 UTC
Last seen:	2020-07-16 15:21:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:K3wCZ5CMo4lre6p9MmM678BSuRcp07WYs2OoZ3H1:qwCZUMfrfnkSuQ0
Threatray	5'334 similar samples on MalwareBazaar
TLSH	BC74BF617F4B8E21D5BEB535E3E768100B33A19F12329B0E778C59A42A4376B9C05F1E
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

3

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/26060/

Detection(s):

SecuriteInfo.com.Trojan.KillProc2.11135.15335.26842.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Launching a process

Launching cmd.exe command interpreter

Deleting a system file

Reading critical registry keys

DNS request

Sending an HTTP GET request

Creating a window

Setting browser functions hooks

Unauthorized injection to a recently created process

Enabling autorun with Startup directory

Unauthorized injection to a system process

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d0604fe76ff35e2311825f1822171208bd472c764dfbdbf45e20fad47f6a4472/

Threat name:

ByteCode-MSIL.Trojan.CryptInject

Status:

Malicious

First seen:

2020-07-15 14:46:31 UTC

File Type:

PE (.Net Exe)

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2bqe7z3p6npcgemcl4mcefysbc6uoldwjx55x5c6ed5ni73kirza._file

Verdict:

malicious

Similar samples:

08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f

387119236c9bd4c60215cab8efae3cdd16a0fe9906d83016b2dc8ee425fad40d

714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f

7da1749d927d6d2f4f8175bb1cef8c4a92793b107d24d661d83bd55c57e83df8

8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2

9b861daa0a7b4276df89a7ec49d2dd3388366ad60a3058df70525313799a0d05

a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d

c79a75bdb7f50439434aef1de18f5eaa857b9c0affd00f8e40ef85348df6cf57

d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9

fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c

+ 5'324 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

spyware evasion trojan stealer family:formbook persistence

Link:

https://tria.ge/reports/200715-tajf5fb596/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Reads user/profile data of web browsers

Drops startup file

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/26060/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample