MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc178548910fecad24f84095745d2ea59340b4c51cfb756f78f1d7811e570662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc178548910fecad24f84095745d2ea59340b4c51cfb756f78f1d7811e570662
SHA3-384 hash: bac3e3a46663ab55a48d6babb97d1361aea9b4bd4ecbab7aff822b3796885c65ac3f70c40b73222e891d291329bab028
SHA1 hash: 83a789603456fe52bf7f3f9d0310020ac35eb269
MD5 hash: 26b7e9017baf7dda3a436f4a69ad7020
humanhash: wolfram-papa-hotel-west
File name:HEC45882147978890_PDF.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:341'504 bytes
First seen:2020-06-22 07:52:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:j1oaDZSpWqfA/l69UFN6UN2iYl5/IzhuG6vKqy2XOTMkfQZwiA:1Z4fADaUdA9Izhu5fy8OTDYvA
Threatray 5'114 similar samples on MalwareBazaar
TLSH 2374CF1232558E73E2132DBA5C2CC1A112E7BD256512F51D6A9E321F28F235213EFB6F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail0.ganniobunn.icu
Sending IP: 161.35.22.61
From: Hyungwoo (HEC) <harseno.halim@hec.com>
Reply-To: eterecomo@eternalexposure.com.my
Subject: #RFQ 0089374- Engineering Co.,Ltd (HEC), EPC company
Attachment: HEC45882147978890_PDF.zip (contains "HEC45882147978890_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12482/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43371003.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc178548910fecad24f84095745d2ea59340b4c51cfb756f78f1d7811e570662/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 01:31:47 UTC
AV detection:
23 of 30 (76.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qlykserb7wk2jhyickxixjouwjubngfdt5xk33y6hlychsxazra._file
Verdict:
malicious
Similar samples:
14c6d459ec4d91f072fb28a38c6e11a4f616ef84c3faf4c10feb3aec45529ed7
FormBook
34e97a0a96c8965670b1cd995a66c69a8ee72e59a76633e3fe8c8e0dc181f29e
FormBook
5a67dee45b2e60de47e22739c8be8614f31cdb4acbaf554f37d06ea41ddd8762
FormBook
6692dfd11b39875711297b99f0139009a90c2db02fda83ace3f18c579dd75e48
FormBook
77d3a28cd34ad07bbae3fe893ee4e92731be71f1fad1b632840c0bf3b5bc594e
FormBook
79ed25d14bd82eed48aae26c3ea3d4e6a334774296d2189832551ddb57abbafc
FormBook
7e9657bb8f4920565b2cbdc1add6d78026fc4e8047632ba077463e5991e105ee
FormBook
a866218f15c4a57d3bd29aa9a3cf71c3c23568647f8f983de57c2e7019bbb728
FormBook
d606ad2f22a8def869afd7e352766c880404a40948ac435d62d136ea7d61efcc
FormBook
f88d711b452d2678a61e6963c47457a1604491f2bbe6ed13d4710ce6f07d7b72
FormBook
+ 5'104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200624-nmwhkf3zke/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

913aa488761333029e2c08998f9d6738

FormBook

Executable exe fc178548910fecad24f84095745d2ea59340b4c51cfb756f78f1d7811e570662

(this sample)

  
Dropped by
MD5 913aa488761333029e2c08998f9d6738
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12482/

Comments