MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f495df589f3d5ada5d486d3795de4ddf24d296ae6af572a635ad00c4ed716088. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f495df589f3d5ada5d486d3795de4ddf24d296ae6af572a635ad00c4ed716088
SHA3-384 hash: e9c66a208e96a8252929b8a8cf76a471690d5f467bfa5f490283a9789c1d87ba707c82edf7e707d233ca527372e00734
SHA1 hash: 324025cefd5a657d09bb64e15a4ec2db779c6b6f
MD5 hash: 5468c372aec9a9401f596876b351a2b2
humanhash: shade-music-maryland-cola
File name:RFQ 20RFQ00106 - ID N°. 04129.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:490'496 bytes
First seen:2020-06-11 05:43:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:chi6ZLcxUnUdYRT14rJbVZxqQcLVK9ohmz1RzcpqHH+u61rM:ZAooRT18bxqQLJmp0h
Threatray 1'533 similar samples on MalwareBazaar
TLSH DAA4BF043AD5AE4EC72E0DB2446328505BB0A6737E0BF3835CDB11CA656DF8A4B51B9F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: cloudhost-67388.au-south-1.nxcli.net
Sending IP: 103.224.90.42
From: Jody Panzer <jody.panzer@parker.com>
Subject: Confirm RFQ 20RFQ00106 - ID N°. 04129
Attachment: RFQ 20RFQ00106 - ID N°. 04129.zip (contains "RFQ 20RFQ00106 - ID N°. 04129.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8858/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 04:29:50 UTC
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6sk56we7hvnnuxkinu3zlxsn34snffvonl2xfjrvvuamj3lrmcea._file
Verdict:
malicious
Similar samples:
21cf18a3f7318d77dbab369b9095a9f18a5e46b6b99608d5a3d69c3ecd70be06
Formbook
33ebfd8e209828818c29eac889a86e84eba1e9f428dc839f3a2a2fb57ade8d22
Formbook
5f2517598649fe78e58966a15e9fea89e43ee57aa0ad6b779ef18be53eb39a2b
Formbook
726e05271ef6a6781ecd7bd9b130e4621734c991160d820f0fdd61186f5fbd55
Formbook
8e7bbf8a58e3633c72514c11d5a4c161a6d2a2c9fe04111375ec4fa82580baef
Formbook
950d32041bd422de6e75703707b17e94f27235d3632387f02d21160c71d2735e
Formbook
9b5b44ded4ede28d92834c4db286780a5628d02597a739ff3633f808d47f0939
Formbook
c39d2b521f5ad659826516372c61ccaa1bb588b2d7e05bc66fb069fb83feb4f7
Formbook
da5b47ddd8d07eccd9cbe46fe79214834b10b19aa3dcf6e7bd11d4681d9e5177
Formbook
de78d6ebc53d0a17441d132529eb2db65ec206e7f4223382337e190aec29b150
Formbook
+ 1'523 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-zq2gdlr13j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.info/0rrc/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 38be8fef0c9e8017100d56ac240aea25d3a2c8712a532f10cc9ffaa20763400c

Formbook

Executable exe f495df589f3d5ada5d486d3795de4ddf24d296ae6af572a635ad00c4ed716088

(this sample)

  
Dropped by
MD5 8861fb60613b98ee38f23f3a717f7d30
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 38be8fef0c9e8017100d56ac240aea25d3a2c8712a532f10cc9ffaa20763400c
Cape
Cape
https://www.capesandbox.com/analysis/8858/

Comments