MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc6eb23c871bd7c54a5a38c3806d021a413b4897358a86915c7b27c7cca9d202. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc6eb23c871bd7c54a5a38c3806d021a413b4897358a86915c7b27c7cca9d202
SHA3-384 hash: c0fa4919861a9d83df80c13d0712d02071a2aae39c0dc6e0c797dc1aab9bac8591825f7d1b34fd43a0df947437ac0bc2
SHA1 hash: 415a1c9239fef518bcd9067c59701dc1a38da271
MD5 hash: 9dc166f998f972f0c3fb27ebac61aa01
humanhash: potato-california-august-king
File name:gunzipped
Download: download sample
Signature FormBook
Create hunting rule
File size:337'408 bytes
First seen:2020-05-13 16:24:49 UTC
Last seen:2020-05-13 17:06:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:JMbte+JoLZMroMwCMxeL3bjrIhN5w/pfbQurAJWOt+Fq1Tv59CizCQtQCnvI/hE:J6tSZMroMwSzbjgL4zfrSt+g1Tv59CiD
Threatray 5'295 similar samples on MalwareBazaar
TLSH 3D748DBC71247AEFC81BC576CA982C64EA6034BB531B9247811715EDAE0DA97CF244F3
Reporter abuse_ch
Tags:DHL FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: u17053547.onlinehome-server.com
Sending IP: 108.175.12.254
From: DHL EXPRESS <info@eleasunn.com>
Subject: Identificación de envío de DHL ID de referencia: 446331576544600
Attachment: scan_Shipping Documents BL,INV and Packing List _PDF.z (contains "gunzipped")

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EKNL.5495.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 16:36:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rxlepehdpl4kss2hdbya3icdjatwsexgwfinek4pmt4ptfj2iba._file
Verdict:
malicious
Similar samples:
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
FormBook
3de57656bc920af6ada5c995391e33546524ec7acd4e9182364dfcaf84b3b8a3
FormBook
5eb9ca5476eb4c9c83bbb5d6bbb7ff90474749121e2e063bbd9e988c4e4917e2
FormBook
6963991b3f7b0d0870130058d1494481d64003e95bbb5fabfb024de68582c02e
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
FormBook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
FormBook
b1d9adc8ee80f24960fb84adbb029695e49763faecbf559f92410d44bf28b0d3
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 5'285 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
coreentity rezer0
Link:
https://tria.ge/reports/201109-8q7fvsqrha/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
rezer0
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z b0878d983fbe791666435775c47096a408789852c6d06d0618a23ac3bab2a038

FormBook

Executable exe dc6eb23c871bd7c54a5a38c3806d021a413b4897358a86915c7b27c7cca9d202

(this sample)

  
Dropped by
MD5 4085e36a67e36c5b808016050082573e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b0878d983fbe791666435775c47096a408789852c6d06d0618a23ac3bab2a038

Comments