MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e
SHA3-384 hash:	a5df3b05d2ef76c9c1f29f4ac15b7bdddeaf4e37dcce44edf1e5f5c5a713d1e26b4860226731f0c39710bf372cbec0bc
SHA1 hash:	139eeca2b690d57727baff58c7ca8a482f9b8ca6
MD5 hash:	f5200d15a07bcc43ca60af2aa0052bd8
humanhash:	alanine-bakerloo-blue-ack
File name:	Inquiry.exe.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	404'992 bytes
First seen:	2020-06-10 07:35:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:NJBNtEx/ND5L9RcOuzcc0pZcrWfu+qB93gNt:N7j0rcOuJTrWfuq
Threatray	5'124 similar samples on MalwareBazaar
TLSH	27848D8D3654B29FC86BCD72C9A81C249BA0A4A7571BD243A44312ED9E4D7E7CF106F3
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: WIN-KP3NFSDUTC3
Sending IP: 172.93.161.29
From: Phạm Quý Hoàn(Gr)" <lina@ltfootwear.cn>
Reply-To: brianlee0147@yahoo.com
Subject: Attention needed as per Inquiry
Attachment: Inquiry.exe.zip (contains "Inquiry.exe.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

64

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-10 07:37:05 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=34v33wbtx2ejn5dmqzqkz7e5ujyr6ktv3azyeqfxqh6g5y4wj6pa._file

Verdict:

malicious

Similar samples:

035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b

1d24189fffd0bdcb0395a3670721f29f37d08bd80565471db28d45ac36b2cbc9

54afdaff6d05973b7c58978614f80dac9060bca2ef2f0e1835fa05b80e3da626

575cd2d06aa99a48ed59b412bb87aba3b3e3cd66093c7f9efd118bf533032ba3

79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d

9099123ab27c467c09e2483339756820e29e6d8cd3d0346305d3873902e4af65

9bf2e6afa0656c8129746c95784146ba85f15ecf46081644192e5bbfd5899144

bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112

e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6

f6557b3412ca78e87ff38632aaf24732b74da646678fd6ea5f01134bb498fd14

+ 5'114 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-vcphv53p9n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.joomlas123.com/4vx/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 0eaa411d40028430e9194525daa73fac9c05010a32708147bb45b8bbd8455d5d

exe df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e

(this sample)

Dropped by

MD5 850033b819979e56d3f0d802e378251e

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 0eaa411d40028430e9194525daa73fac9c05010a32708147bb45b8bbd8455d5d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample