MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f03893940d05b4b6121df9493b25f4eb1ba37caf2d3c1333d90891997430fe81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f03893940d05b4b6121df9493b25f4eb1ba37caf2d3c1333d90891997430fe81
SHA3-384 hash: 0583b37494de0aef63146a5bd5848e8381cee5a7f0f107d74658ffff5cd3ae21d0c939544f358ff222f0e15726167f55
SHA1 hash: a7d43886c7ce798d8f72c7f9f9013834b4d53e45
MD5 hash: a43dba454dfe651de7019c2a2ce397a6
humanhash: sierra-sad-harry-twelve
File name:Scan_25052020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:359'936 bytes
First seen:2020-05-25 12:36:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:tKEFXkOeSi0kEiIUi3AmbGdw/nwQgqIh7HTpomVBplK+SmVMSvInjz7k2x:XFXpe50kEtUisYZg91tVVKSBmL
Threatray 5'200 similar samples on MalwareBazaar
TLSH 2674AE7843EAB71BC65E52B9C965404E73E18EA7950EEB0988423DED1E3B743E8035C7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: sv7284.xserver.jp
Sending IP: 183.90.237.125
From: Mklein <mklein@harrisford.com>
Subject: Wire confirmation
Attachment: Scan_25052020.img (contains "Scan_25052020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.UZF.29913.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 13:37:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 30 (73.33%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
2ff5f726080125732c91296d7bce8b496e5d50d2fb8b3d028f0f41990565015e
FormBook
3ce52727b410ca156f57c480ca81a851240f6c93803a9f74c9b6bebbaf79b6a4
FormBook
7d65c5f831361d3e7441c49dfe9e5a286c1b142fa1315c3460e144b240a2afaa
FormBook
9374c211fc924cac59bacbe5a688f3a25f740cb324d58b239da0c070b7393749
FormBook
ad666104695e25301fea85ddfa1d6d947482e8b86187e11f91768cf75b0472b6
FormBook
b2d60c8915d3180d7416c1c7067bb63b0002145b7dfb0fecfb2899cbabf0c274
FormBook
bae14f53a8553b739d9eae5d0f751e608e7f33f3d7fecf92f345bc806bf676d5
FormBook
de2865a1da0ef59ba900462dc92a276d1a594044e739df34262d4b0f7e86bcf2
FormBook
e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93
FormBook
ed21049192c51ab75191b0791aa7d746b86fc3bca997cea24726399a45a734cd
FormBook
+ 5'190 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-qmw9kkhv16/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.stilonf.com/hb7/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 6e53f7c0b3903e52d246a7ff81febc6e2089e5d9723cdff6079c1cc0311d1c95

FormBook

Executable exe f03893940d05b4b6121df9493b25f4eb1ba37caf2d3c1333d90891997430fe81

(this sample)

  
Dropped by
MD5 adf139966d3025bb4a6d180ece66a3ed
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6e53f7c0b3903e52d246a7ff81febc6e2089e5d9723cdff6079c1cc0311d1c95

Comments