MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2ff7c5e749d36ebfcc2a9d5af487369e454ef301a859eb8fc11ebe15ea73e34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2ff7c5e749d36ebfcc2a9d5af487369e454ef301a859eb8fc11ebe15ea73e34
SHA3-384 hash: 74d67d84af68510a44f462a8739d60b687d337efbc88279dca8b7e2c58f93610068cfcbf973628ae84c6b4383de03fa7
SHA1 hash: c3bb30592f68bb0071b72828ee1480ed673cbb85
MD5 hash: d9122108ec3cd7a570190d6add288526
humanhash: asparagus-salami-summer-berlin
File name:Remittance copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'045'504 bytes
First seen:2020-08-18 07:39:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:mc1iOc2gz73rDATklitnVv1qUPseq6xCcoueWhX:mc1xXg/7DATOiD1lPdx
Threatray 2'268 similar samples on MalwareBazaar
TLSH 1325D057638CAB2ED1BE56F7F07588469BB0C255A1CFB39A0DCCB4B029D3B650DCA160
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.environment.go.ke
Sending IP: 41.89.1.174
From: ADMIN <cas@environment.go.ke>
Subject: Balance Payment_Y/ref Invoice No. 309320_ EK
Attachment: Remittance copy.rar (contains "Remittance copy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47591/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Sending a UDP request
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e2ff7c5e749d36ebfcc2a9d5af487369e454ef301a859eb8fc11ebe15ea73e34/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 23:49:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4l7xyxtutu3ox7gcvhk26sdtnhsfj3zqdkcz5oh4chv6cxvhhy2a._file
Verdict:
malicious
Similar samples:
0c6ef50f134bbd723eddc99d8f9fc78b37e7e2590ec907ce4209075677add6d9
Formbook
1f6cc75fd60ebf9094d1e446292692518dae884f795b5db70b879e0fb942074b
Formbook
684c2ac7c5d08c046fd4907cc4466827dc01fdd403ff7bbd64c5aa247884ac74
Formbook
703ff50ce5c0478d29687466ee83df7f4d7f302343039cba3bab46405e07433b
Formbook
8b6a946bbba908d8087fa23d3eb420ade3d88ea8c36023a97e6b9129c6453988
Formbook
9bbebb59b74b06b6d1db59d4d33f0baa4a6d44ec18b51b4ec11b9ae210e8bff8
Formbook
b6e89905d6d6238171dd9b2fe24dada39d4ca0f9e7634229e5c43b5f3b563dc5
Formbook
b92daf26444f20dda1b9473af9b4016f67fc4e87761b1429021aceba77e3dd5a
Formbook
bb2f11cf6a69920db299f01b3f971aacd7277f0d37884deff05cba52e59b2998
Formbook
dcdd457e51bde64c24cf118ac54c8489efbc4bc55b5f1afc4facdfe673d3543e
Formbook
+ 2'258 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200818-73yt4ml86x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.iskovlay.com/mcn/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 7e7e37a5af18b4dbb1bea9842c0295c965431baf2e0cd0d61e62f0bb278c79ac

Formbook

Executable exe e2ff7c5e749d36ebfcc2a9d5af487369e454ef301a859eb8fc11ebe15ea73e34

(this sample)

  
Dropped by
MD5 3b932b5ad13171ff702c7c61e6292b62
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7e7e37a5af18b4dbb1bea9842c0295c965431baf2e0cd0d61e62f0bb278c79ac
Cape
Cape
https://www.capesandbox.com/analysis/47591/

Comments