MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d31a7e5639e4248f8debe115c8e6cdea00616a2b4a6a6757ea158dbe1c84748a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d31a7e5639e4248f8debe115c8e6cdea00616a2b4a6a6757ea158dbe1c84748a
SHA3-384 hash: 8dedffdf9eeb61f00482b75180e0233ed2040e1e75ab34e1f8d0ebcb8d36539be19bcf1d8f6fcaef0af8702f9deb59b2
SHA1 hash: d274831a7e3f6459e1c07d9c78ae6b39784f2564
MD5 hash: f1afc41326ef3fc69d160827fc1cb0d1
humanhash: nebraska-nine-december-oxygen
File name:Payment Copy H001510WHS.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:398'848 bytes
First seen:2020-05-21 10:38:52 UTC
Last seen:2020-05-21 12:24:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:bCs/fhcX0Xc0hE5I3+Lwg1kv4dzCpft/nhuUFkUxJTPUEISw1WmJTq96mt5t:+xd0O4vuzUl/njuUzTP+S1mVURt
Threatray 5'292 similar samples on MalwareBazaar
TLSH 188402A036F8A750E5998BF52931554013FB7A2B5AB2D64C1F5270CEAD33F81C782B63
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: lysaghtgroup.com
Sending IP: 37.49.230.203
From: MOHAMED RASITH.B <lcpipoh@lysaghtgroup.com>
Subject: PAYMENT ADVICE AGAINST P.O# H001510/WHS
Attachment: Payment Copy H001510WHS.zip (contains "Payment Copy H001510WHS.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.49161.14608.28217.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 11:37:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
83968322ee41293c915a37779c384b39d1a0429303ed831291da984e7ff6877f
FormBook
967a6989b7dedfe073c92760bb62a30fa4348109a839d987fe9a0bce6d1d5f2d
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
abdae1b1965bafd334bb46028ddeffc82d495bf84aaa3f44403d9a17963f12c5
FormBook
ba3486ddcb815a5bfae81495f4f48576968b3d6de9f42e0d4358824d7ee583bd
FormBook
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
FormBook
d252bafdd21ef871df2eeed20ae4cbf3b6e2f6df268d93ea563b01aaec889baa
FormBook
+ 5'282 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-hrx31f2vc2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok3.info/eb96/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 8a49f25ba44d858ff27e35a4ff1f2263cb4604dcb7e0f3e7c1d9aa459994a2ae

FormBook

Executable exe d31a7e5639e4248f8debe115c8e6cdea00616a2b4a6a6757ea158dbe1c84748a

(this sample)

  
Dropped by
MD5 4d5d1321bccd2bfafbc68a516ea8c698
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8a49f25ba44d858ff27e35a4ff1f2263cb4604dcb7e0f3e7c1d9aa459994a2ae

Comments