MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0c528ff38bc3df66a153a67e545e37157bc427ab0ffa215e85ce20f12a73b74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0c528ff38bc3df66a153a67e545e37157bc427ab0ffa215e85ce20f12a73b74
SHA3-384 hash: e4dc687347f6e1f1493952ba8aa4b9687e57894beb08baaf17f12a0b4a873795af373c1904850def3792a8827928f796
SHA1 hash: 98f5977390fd3b199e4630f37e1add42d6ee1355
MD5 hash: e4a783725163f85bc76461f6d179cc41
humanhash: mississippi-bacon-comet-oklahoma
File name:PO2020527.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:510'464 bytes
First seen:2020-05-27 18:16:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eff4383a0660ef8798a09085a4d832a3 (3 x FormBook)
ssdeep 6144:lBWeaqJFYCPxtwfyVJiCviwH1gx/xF0tBUyv0Qi3jIC9PD+p:eeDiCPXwa7lawgxUb0bjId
Threatray 5'098 similar samples on MalwareBazaar
TLSH 13B49F7E7F47315CF91A0E393B7458A5B0E66E9A7E28B08229B73C7276735C150A4332
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: host.qomlavy.com
Sending IP: 69.16.254.67
From: henry@diwatg.com
Subject: New PO
Attachment: PO2020527.rar (contains "PO2020527.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 14:12:42 UTC
AV detection:
19 of 31 (61.29%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4
FormBook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
c3a0d9429eb5d4cc6b349e7aecccf38c79d7878074d804fe969ae8fcff7376c1
FormBook
d05efc3d09d7c08668da10c09101815e0af2f3376a03512e959ca467835b9c26
FormBook
ede6df4a8c12ce93266ac2c5ace537e336600a441aa5a271829a5013e8fa20c0
FormBook
+ 5'088 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-49n4pl6dfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mafov.com/k91/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar e35434b0e598de75521c241335a82cdd5174c03209254ec2d984cc17418ebace

FormBook

Executable exe d0c528ff38bc3df66a153a67e545e37157bc427ab0ffa215e85ce20f12a73b74

(this sample)

  
Dropped by
MD5 20e7b203f660fe5761833ce59e04d281
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e35434b0e598de75521c241335a82cdd5174c03209254ec2d984cc17418ebace

Comments