MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e56366d78017d877b4413031f23021dce6f39cd2207bd4324967df5aaab3c4c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e56366d78017d877b4413031f23021dce6f39cd2207bd4324967df5aaab3c4c0
SHA3-384 hash: 9bfd90d3e77ef09c2be429d739f9fbb33faf93bbbafb6174769241dbea0f6715a3ba4b5fb87829a0587468c3060b7d68
SHA1 hash: 80e280ceb2f2fb90f6db4c86133af1c66a1fc107
MD5 hash: f9c951fd6320194c2c33e9f4a4cf5770
humanhash: avocado-snake-undress-queen
File name:PO-HNK6292000110.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:364'032 bytes
First seen:2020-06-29 06:35:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:+Wg2f/sah/AULaDouD4g8iKRfjPf4QDjvGNlDbIlqBQjoT:P/sbDoaoXRr4QurvSYQjG
Threatray 5'230 similar samples on MalwareBazaar
TLSH D774CF5072F9870BE6BE87F81570115047B639167623E35C9DC130EA1EB77820BABB6B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.asiatype.com
Sending IP: 68.66.213.125
From: Leo Cees <care@spectrogroup.com>
Subject: NEW ORDER
Attachment: PO-HNK6292000110.rar (contains "PO-HNK6292000110.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15399/
Detection(s):
SecuriteInfo.com.Fareit-FVR97B1CDB35EA0.28661.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e56366d78017d877b4413031f23021dce6f39cd2207bd4324967df5aaab3c4c0/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 06:36:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vrwnv4ac7mhpncbgay7embb3ttphhgseb55imsjm7pvvkvtytaa._file
Verdict:
malicious
Similar samples:
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
FormBook
2d4056fad1be6f7748d20dfac087ba9161d7555f0a5f021d462d226e89787ce7
FormBook
4e68480fbf23cd8b7efedd98614f1cd26032b955b4fc721e6622c62e4bb9f447
FormBook
5cdf6c041962460b405e1bba40fbfbda38571623012c2079fb6502178e860861
FormBook
5d8b65f8c8dbafc49e02925b7caee33bf456f0aa396c5dabaf526578ff4a6a5c
FormBook
8e3558d36802ba3f0da7c2b1188d5f12918959c2674e5421c2d15fad57d712e9
FormBook
b717668f4cb542152a0b021d4c1cce6425692b80cec9c3384d5a5e9b602783ba
FormBook
c56c8ea787e000ad095d2d1bc0e0a651e1571d3f784e09f7f6c86fa8771efddf
FormBook
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
FormBook
fbc04306880313e1c67e38265c9ec331f336cba5bc461266e05228b22094defc
FormBook
+ 5'220 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200629-rg19whgsxn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of web browsers
Deletes itself
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar d38e9d23f19bc76a739a06ca94b8bf564a472624dcb036264674fac9b298247c

FormBook

Executable exe e56366d78017d877b4413031f23021dce6f39cd2207bd4324967df5aaab3c4c0

(this sample)

  
Dropped by
MD5 adf9e960ed7a96f2ac3e3f85d23e032e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d38e9d23f19bc76a739a06ca94b8bf564a472624dcb036264674fac9b298247c
Cape
Cape
https://www.capesandbox.com/analysis/15399/

Comments