MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b
SHA3-384 hash: 43169c901c3a173299696a113edc862eccb31f53c892bf7df041f9f6d77bc00bccaa633907a9e3b15a7f660978606c39
SHA1 hash: f2744185e692cedec652edb07b8a174c34e9f327
MD5 hash: b9c6aad2753d835eefeeae486fac18ba
humanhash: quiet-potato-march-hotel
File name:ORDER_29741.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:404'992 bytes
First seen:2020-05-07 07:11:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:IvWNt7z3fkTD5FUKaXVnHuSRHHdOT1/OKczDJ5E1lOg:IuNt6PUlVHuWO
Threatray 5'125 similar samples on MalwareBazaar
TLSH 92849C98322C72FEC827D4728ED8AC74EA51747B635B53239423459D9ACDD87CF248B2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: William Thani <w.thani@qualitech-solutions.cam>
Subject: AW:URGENT ORDER
Attachment: ORDER_29741.rar (contains "ORDER_29741.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44821.7183.18148.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 03:36:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4p3i4ntz7qvllb7hclhbg7qqommoxktl2xtsjj3cac5rbskfgevq._file
Verdict:
malicious
Similar samples:
27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662
FormBook
31d1428b910df6a6b0bc62b597f5c4c88514cba2ecd8c8fd28410ab97952b7cc
FormBook
5faba24468dbc655649ac2467b30d89f0e9d7f2bd9f827656a157494d132b607
FormBook
6012fb54cc0a67842710e7189ebfa42c27d30f18a604fbb4122734fb23b7accd
FormBook
7f30518d5d377a5daabfdf24a509e35c46b04f951500fec7a78e84724c4cdbc4
FormBook
916237116e09e4233846389b7410a8ccc7e7ef96c0ed97c3fdb19a08499504af
FormBook
accddeb954844341b87c006344f21c50757cd228d2f071d39e8707209b1a49f9
FormBook
ca6c6262134182f4bc6367855eaf6a390bf9f3a1b95e7238f3480dfe8baf50db
FormBook
e75e9eb97fb635737341ed9fcfd25471fdd9889e75305bbb6b32bbee19b32d52
FormBook
f34f4e3d8e9c1ec1d066d75d07f3d93c70931d6a54d736dc12f83b8277db2557
FormBook
+ 5'115 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-7l72efhxf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/20w/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 17eff131672ab095f9227f238d69b8c1ad788f27ffe45a9ddf1d5586e83e06ab

FormBook

Executable exe e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b

(this sample)

  
Dropped by
MD5 2ea874d409822a28ade3924c11601e7d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 17eff131672ab095f9227f238d69b8c1ad788f27ffe45a9ddf1d5586e83e06ab

Comments