MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d13d1c39956ee9f7123416a5b52f9f631aaeca544d1af3fb48b446485c59d377. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d13d1c39956ee9f7123416a5b52f9f631aaeca544d1af3fb48b446485c59d377
SHA3-384 hash: 5397a5b24dbbf31bd5a8c7a06f29945d6f285b44c83c514a162a24cd0ffb7c3f965e22fbfbe6424956b0290344482071
SHA1 hash: 774b84d7b3718dbaf6d44ecedd6840773f182e09
MD5 hash: c2f3f6d7506b6e46e562436b94c3f304
humanhash: connecticut-whiskey-lake-georgia
File name:Shipping Documents.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:344'576 bytes
First seen:2020-04-16 10:42:07 UTC
Last seen:2020-04-16 12:01:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Zn55VZ/LxaClUiqdWWJ9udyRYBLERGreo3DwbPy7Khw3EOz/ZLVvo:Z9Z/LECaRdXJ6iYIEreVbPQKhw3EOz/s
Threatray 5'095 similar samples on MalwareBazaar
TLSH 7B74D157B74DFA47C79D2E39C56A63FA2520AD11E942F30B72C9FE1CBCB0B916009285
Reporter abuse_ch
Tags:COVID-19 exe FormBook


Avatar
abuse_ch
COVID-19 themed malspam distributing FormBook:

From: ALI @ Rajguru Dehydrates <sales@rajguruindustries.com>
Subject: FW: COVID-19 LOCK-DOWN / SHIPPING DOCUMENTS
Attachment: Shipping Documents.zip (contains "Shipping Documents.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.39031.11745.15185.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-15 23:41:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2e6ryomvn3u7oeruc2s3kl47mmnk5ssujunph62iwrdeqxcz2n3q._file
Verdict:
malicious
Similar samples:
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
a0d38e74310877d9ee7a4d0e75e25272adb25199527d19bc08c0f1ebb21f9ce6
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 5'085 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 614b107870af3963833133e1c0c5f5bfd6765833b865dcb60c075064ed3093c1

FormBook

Executable exe d13d1c39956ee9f7123416a5b52f9f631aaeca544d1af3fb48b446485c59d377

(this sample)

  
Dropped by
MD5 740d20b73ab901afdab99a40851f74a9
  
Dropped by
SHA256 614b107870af3963833133e1c0c5f5bfd6765833b865dcb60c075064ed3093c1
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments