MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733
SHA3-384 hash: 6d5a6bd99518f7aafff2944c6cbb24a49b1d387b855d851755576f93d8fa13e1215bc51bee2c342d7c6b94ed98e3a799
SHA1 hash: e7359ceee7e6bfdbc41296e30d6852bc3ce0bd9d
MD5 hash: 356a053f638d8a502ecc634dd48d04f2
humanhash: one-lemon-wolfram-rugby
File name:Attached new order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:297'472 bytes
First seen:2020-07-02 06:25:28 UTC
Last seen:2020-07-02 06:51:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:xIRPe8hQswvaPgT98olIpNfG4rGYZVysgLe8JFYiZLpKuxu:2RGqQswiPgTeounfhJqsyeOTZNKu
Threatray 5'095 similar samples on MalwareBazaar
TLSH 3854DF7E6B67AF3AC7CAD23ED0030A1587348F4A6C52E397DCAD71B819173942E12197
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mout.gmx.com
Sending IP: 74.208.4.201
From: Info <infokeffynsewinghaven@mail.com>
Subject: Re: Re: Attached new order
Attachment: Attached new order.rar (contains "Attached new order.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18287/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.68324.164.18974.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 06:27:05 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rvyawten5bkbbw4eadkhipl4j3lixkfqovon3fyorjtbjits4zq._file
Verdict:
malicious
Similar samples:
0a6caea4ce7bf55029e1f01895a6c653fb2c5166f76dafcf94956dd8915e4eab
FormBook
3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3
FormBook
73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d
FormBook
7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f
FormBook
7e1cc3c2c72032a35e00a39574018d4dc7b5c8b4a2b52e865be86cea4fb03436
FormBook
836e10c649bce22fed99ea498ea2f36c8d7e832be5be20de60a4f0a13db71ed9
FormBook
89ff5517452e28f7853a015903ba0573e53d05a36095774e186022944945a5a5
FormBook
927ea99a59336bb821aa9062c686d43e3022224f56c6f34338218ddc6e165cfb
FormBook
bebdb4d1e77c1b459833876c8599ce54d46bcba89e3c8d13c1add73723648fb9
FormBook
c629f38c249f5f8a7da9911fae23c88120e4a750e3dfc52578396094a7ec7dcd
FormBook
+ 5'085 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200702-bce1zem2g6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds Run entry to policy start application
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 4dd08bfa7c898320dc393d24b7e909f8f7dc97a1d3bcd70c8b0f910419164358

FormBook

Executable exe fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733

(this sample)

  
Dropped by
MD5 c52d6aa6de951b65e3ed02da1d855bd8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4dd08bfa7c898320dc393d24b7e909f8f7dc97a1d3bcd70c8b0f910419164358
Cape
Cape
https://www.capesandbox.com/analysis/18287/

Comments