MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 fad4f5a49b06971b1e9f09356dd43bf47cdeddc1b4af2d6cda4369c73a352cc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
FormBook
Vendor detections: 5
| SHA256 hash: | fad4f5a49b06971b1e9f09356dd43bf47cdeddc1b4af2d6cda4369c73a352cc7 |
|---|---|
| SHA3-384 hash: | 949338a89ffbcd5accfb270931ffe3ec0c42443e1fe2660c1c3c84c4854941d8d3d75d319dc525f7b3b3d80c476570e6 |
| SHA1 hash: | 7c5f3a99a61924b86a7699d4ccc94b9f7675dbe3 |
| MD5 hash: | ac329bd71f9aec35e3e01fc0f1bb23fe |
| humanhash: | jupiter-snake-two-stairway |
| File name: | RFQ05202004.exe |
| Download: | download sample |
| Signature | FormBook |
| File size: | 912'272 bytes |
| First seen: | 2020-05-04 17:39:39 UTC |
| Last seen: | 2020-05-04 18:55:20 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | d8229d3fd67422e902e922fed93a7eb1 (3 x FormBook) |
| ssdeep | 12288:NpLNnbcnZ9/4PIAXyfTwRGu7PYfVys4+tPxvGbC4+mEverGhuGuDXBE9c:dbtCfT2yVT4+beoHerGkGuDXBE9c |
| Threatray | 4'795 similar samples on MalwareBazaar |
| TLSH | 4A159F86B14C89DBF53B0DB3983BA9341087AEED90E1821D755E771A45F334210AFE6E |
| Reporter |  abuse_ch |
| Tags: | exe FormBook |
Code Signing Certificate
| Organisation: | VeriSign Time Stamping Services Signer - G2 |
|---|---|
| Issuer: | VeriSign Time Stamping Services CA |
| Algorithm: | sha1WithRSAEncryption |
| Valid from: | Jun 15 00:00:00 2007 GMT |
| Valid to: | Jun 14 23:59:59 2012 GMT |
| Serial number: | 3825D7FAF861AF9EF490E726B5D65AD5 |
| Intelligence: | 44 malware samples on MalwareBazaar are signed with this code signing certificate |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | 8815DFF787F21FA8106760CB89C5B4493F4BD45E2CE801D2A4FE1F61DEE0C039 |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
abuse_ch
Malspam distributing FormBook:HELO: gproxy3-pub.mail.unifiedlayer.com
Sending IP: 69.89.30.42
From: kumar@cellcommsolutions.com
Reply-To: kumar@cellcommsolutions.com
Subject: May RFQ
Attachment: RFQ05202004.rar (contains "RFQ05202004.exe")
Intelligence
File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Grp
Status:
Malicious
First seen:
2020-05-04 18:17:58 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
20 of 31 (64.52%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 4'785 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mafov.com/k91/
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.