MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fce58e0c02814aeb6161290c71d4ac6594efab18d4de4d17ad9931214cf5679f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fce58e0c02814aeb6161290c71d4ac6594efab18d4de4d17ad9931214cf5679f
SHA3-384 hash: 6d1f10e40d3209125e1a1bdc3eb99b40a7bae061259660af8a83402a344574535b400edac4cfd8ee24f508cad5e108e1
SHA1 hash: 7779cad23ab741e89d2205d7dbe491619fe9d8e1
MD5 hash: 8434585cc3a348506cbfa2dac9ede611
humanhash: river-floor-neptune-ink
File name:Attached new order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:437'248 bytes
First seen:2020-07-02 07:26:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:arsIUtLW5Cd+PierZ15/kXxhPpBg1OMv8:rczZ/kBhBqAMk
Threatray 2'321 similar samples on MalwareBazaar
TLSH 7D9429227A45D028C47A0A3784BE1EC5A77579D73323CB1E7B8B57581E0229B7F2721E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: vps.thonivii.com
Sending IP: 45.95.169.6
From: Lisa Hongrita <info@balikcenter.com>
Reply-To: Lisa Hongrita <info@balikcenter.com>
Subject: Re: Re: Attached new order
Attachment: Attached new order.rar (contains "Attached new order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18366/
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fce58e0c02814aeb6161290c71d4ac6594efab18d4de4d17ad9931214cf5679f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 07:28:06 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tsy4dacqffowylbfeghdvfmmwko7kyy2tpe2f5nteyscthvm6pq._file
Verdict:
malicious
Similar samples:
0a6caea4ce7bf55029e1f01895a6c653fb2c5166f76dafcf94956dd8915e4eab
FormBook
73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d
FormBook
7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f
FormBook
7e1cc3c2c72032a35e00a39574018d4dc7b5c8b4a2b52e865be86cea4fb03436
FormBook
89ff5517452e28f7853a015903ba0573e53d05a36095774e186022944945a5a5
FormBook
8ffe1634ec406dc2f1db74d9dd90ddf64b3abf2e42d491406b758d177747213a
FormBook
927ea99a59336bb821aa9062c686d43e3022224f56c6f34338218ddc6e165cfb
FormBook
c629f38c249f5f8a7da9911fae23c88120e4a750e3dfc52578396094a7ec7dcd
FormBook
f646b35153e14b1c060f94dfa4e3467165946dd9720b8ed63c2e8b144f132f22
FormBook
fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733
FormBook
+ 2'311 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200702-wx34ewg73j/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

3941f8f89dcdc5d324deac205b1e0679

FormBook

Executable exe fce58e0c02814aeb6161290c71d4ac6594efab18d4de4d17ad9931214cf5679f

(this sample)

  
Dropped by
MD5 3941f8f89dcdc5d324deac205b1e0679
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18366/

Comments