MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e612395c208c33ac098871ab443be6ef007a90a48697b787aa3460cdefad79e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e612395c208c33ac098871ab443be6ef007a90a48697b787aa3460cdefad79e6
SHA3-384 hash: 2f06a3cea5a50d8aa5269aaed08bc85c3d7b37b8591248355b5e6c0b87ed75de028de4778033e089a04d364ad475e482
SHA1 hash: e5b9954accc4043763b79e6ea726cbab02d82567
MD5 hash: b87516fafed06dc4e0375bb2c045ec99
humanhash: ohio-crazy-kansas-video
File name:PRODUCT LIST AND 3D DRAWING.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:841'216 bytes
First seen:2020-07-01 09:16:19 UTC
Last seen:2020-07-01 10:01:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:pXUG/mHkW2wQOlLs9pR6pNzxP8myyyyYyyyyyyyyyyy:ReHk9alLs9pgpN+
Threatray 5'239 similar samples on MalwareBazaar
TLSH 98053AD1F65406E5FE7A03F664335C2107A7BD7DA9B4E20C0D8DB2E65A73782016AE0B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17632/
Detection(s):
SecuriteInfo.com.Variant.Barys.55373.29840.22849.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e612395c208c33ac098871ab443be6ef007a90a48697b787aa3460cdefad79e6/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 08:00:26 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yjdsxbarqz2ycmiogvuio7g54ahvefeq2l3pb5kgrqm335nphta._file
Verdict:
malicious
Similar samples:
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
4e8ddcec5c75934d0418b3f5f66c20925bd67b6acda0bb0c3a0ee684865a6e4b
FormBook
6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382
FormBook
64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
9c7b335e031c3c2fde1e7d75cbe08bd0951b0cb8a327fa4bd3e54c4c59d32936
FormBook
b97bfa891b722322095fcbd10be1c232066827749e4f5dc945beacf1a84d1658
FormBook
c18688396cc85fbdaa5bdb078cc875c657feb259dc05201ad7a33a6113f36a51
FormBook
cc02c528f1eccf6891f5c97815c5c97560ca1c92849e35669bf061cb55e6289b
FormBook
e58d299e799026f70c33649310efef0e2ccfa45514fa554dcc0f4eb9fbdf1cf2
FormBook
+ 5'229 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200701-58qltk5c36/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
System policy modification
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe e612395c208c33ac098871ab443be6ef007a90a48697b787aa3460cdefad79e6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17632/

Comments