MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feb3b84e0ea9e1c3522e9a3258f8578ffe461a43ce41920d6b41fa19520ac7a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feb3b84e0ea9e1c3522e9a3258f8578ffe461a43ce41920d6b41fa19520ac7a2
SHA3-384 hash: 826479b885401fabfbdb29531a037efefa061a1509a07c3c61e9dc6321f500ab609c8701d8859dc2217a647d1263c909
SHA1 hash: 4a250378d35b30ce988afeae4ecce7618c3f8877
MD5 hash: 4527f0055a21654ff0892d7a4a88d1ec
humanhash: emma-paris-washington-white
File name:rEapCbVoctbGlWE.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:318'976 bytes
First seen:2020-06-16 12:46:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:gdZSOG2DAoVjlndzR8h8lxsSMFIVOrg91o4/g526Ny7Xdl3OygzXWA:TOGMnVpF/3sZFoeg9FgI6al31gzXWA
Threatray 5'118 similar samples on MalwareBazaar
TLSH BC64F00DB79E9327D7BC4B3C88F2250847F4B9263516DB195E8432EE1D63BC65A02E87
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: 162-241-215-82.unifiedlayer.com
Sending IP: 162.241.215.82
From: Benard Estrada <fzmt@fzmt.ru>
Subject: SOLICITUD URGENTE DE COTIZACIÓN
Attachment: RFQ- BDMC.Gz (contains "rEapCbVoctbGlWE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10979/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilCO.34128.tm0@aKqfwSn.32178.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 12:48:54 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=72z3qtqovhq4gurotizfr6cxr77emgsdzzazedllih5bsuqky6ra._file
Verdict:
malicious
Similar samples:
0a18c476254735864b8ab07e5223bb310207954cce179c4b773345d73247113f
FormBook
3a65203b683e8f50436aed7a76531617e566c4363ca795885683479e4a3430b6
FormBook
46d500e1f512e941b4c282d92908fb244439bede7a604381f761823d66f8ba2f
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
a658844624b4f1c5dd792ba527d7f04945aac9be928febf34813b3028deaf0da
FormBook
b1809788389e6fbab24abc12b306b2cd4d88a59b983b5a469a63d923e572fa6b
FormBook
b42bb3af52ae6b9fc8dd890fea86abad727db5ae0647217d2f5f2035bc5c2c7b
FormBook
cd120b25b52e7720424139783c7b18f496b07f5bd8f3d4c52ea8b149318da5de
FormBook
d571629d266c5354146cdfe698d79c88c33e598aa6c8d9a0587662c6b5421ed2
FormBook
f62545db6d573b7145c40ce57f9d85eafaa9ffd95923178d29a02845def94b0c
FormBook
+ 5'108 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200624-4ste4te64j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

gz 288347bea0021ae77a23dbdfeab205aa07720b88ae574421a1dc17ee1ba315e6

FormBook

Executable exe feb3b84e0ea9e1c3522e9a3258f8578ffe461a43ce41920d6b41fa19520ac7a2

(this sample)

  
Dropped by
MD5 eb98f9149f506593256d19103179a9ea
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 288347bea0021ae77a23dbdfeab205aa07720b88ae574421a1dc17ee1ba315e6
Cape
Cape
https://www.capesandbox.com/analysis/10979/

Comments