MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3bdb2a06e43b09073cebd4f7a7fe633d45d1c6d149885f7b815cc591fe3b453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	e3bdb2a06e43b09073cebd4f7a7fe633d45d1c6d149885f7b815cc591fe3b453
SHA3-384 hash:	ec6e8d1c9e2f62cfd19f3decb7a126c5ef3b580cbada4fc984e424b4d767aff092e005936fa01268e74f22b96968ca2f
SHA1 hash:	41333801dbf9baf03c5f1ed42a2ae62b0071d011
MD5 hash:	a93acdb68c416f5f3508b9099bbc9f5f
humanhash:	failed-november-apart-cat
File name:	new_bank details.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	306'688 bytes
First seen:	2020-06-15 05:30:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	6144:MMIWmRtXGs88BFKRLyzU85e+1VZV7hf70wAhuo35PdBZTBW:MNV8D+e+/ZtNIwuPN
Threatray	4'848 similar samples on MalwareBazaar
TLSH	7A64010C6B8CA225C57D467D9AE6148083B7D5B72433F32E1ACC365D0FA7BE28192B53
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: mail.cavallaro.com.py
Sending IP: 181.40.114.234
From: Cavallaro Bolivia <cavallaro@cavallaro.com.bo>
Subject: Re: new bank details
Attachment: Bank_details.rar (contains "new_bank details.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/10214/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34016426.19424.29719.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-15 05:12:32 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4o63fidoioyja46oxvhxu77ggpkf2hdncsmil55ycxgfsh7dwrjq._file

Verdict:

malicious

Similar samples:

00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35

01563eeff9cd4cb84253c2c9bc40762d118780ab89c6c7b82ce9c9cf0a56a818

0cd1ca47d2e04de65562e1ba4d8ce4545ee486999f8f0eb7adc880c7fb7fc9b8

1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455

2ad145ebeae4ff20eeb893b16658fe43d7557f30c746edc355a5dceb393bf8bb

5477643235b833aa541ecdc02ee302b141a306c8ab01b08341341f4a2fb20341

8697eb117ba4ca2b18a9a7bbdcbd201cc062e2e79ccbc9d8ea785baf5b868657

aeccef59002b851b685cf54307f906c06adb065b68c3eff112f4b0f1442d1349

d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb

e65997e20f521c8eee713623c45c9600a7a05629c85d73c9dd2bdf696f43e5de

+ 4'838 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-f7q9j5wvfs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

rezer0

Formbook

Malware Config

C2 Extraction:

http://www.tromagy.com/yx5/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar e5972ae238058f963ff7491f7f260d81213ba65a1536b605f5a5ce02e5e92166

exe e3bdb2a06e43b09073cebd4f7a7fe633d45d1c6d149885f7b815cc591fe3b453

(this sample)

Dropped by

MD5 34f80b708b9825a3543fadc75d5eb520

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 e5972ae238058f963ff7491f7f260d81213ba65a1536b605f5a5ce02e5e92166

Cape

Cape

https://www.capesandbox.com/analysis/10214/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample