MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fff1c46e62b2f3a4e202e05aebfc1e7d72b8b3c540912fe18f4b97dc4ab50e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fff1c46e62b2f3a4e202e05aebfc1e7d72b8b3c540912fe18f4b97dc4ab50e55
SHA3-384 hash: 8e4e64e5862049d75344556f992afcd835ee63709c209cba933a270ec376bcf9fe68da30457d54ade087774e19a1858d
SHA1 hash: d089a48e719ca3693a45dbb9e609e448fcbb7789
MD5 hash: c30317fb79fd8ac79f99d141f197a2b8
humanhash: cat-cup-oklahoma-comet
File name:PO-Hiks726357289.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:248'320 bytes
First seen:2020-06-15 05:39:54 UTC
Last seen:2020-06-15 07:02:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bf3276cea36987fb223f1040f855c23 (4 x Formbook)
ssdeep 6144:mteSXk5L8V71baUJ9PLHvEy9UEtfAV9z:mxXk5LuJaUJNLHcytJcN
Threatray 5'638 similar samples on MalwareBazaar
TLSH F334CF22BBB2163FF469C63F282FC871416B3E90617272C5A2CC2B5D99373839667715
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: yangtwang.pw
Sending IP: 142.11.195.30
From: Lanre Hai <orders@hiksvisions.com>
Subject: Hiksvision Trial PO
Attachment: PO-Hiks726357289.z (contains "PO-Hiks726357289.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10255/
Detection(s):
SecuriteInfo.com.BScope.TrojanPSW.Banker.23814.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 01:30:17 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=77y4i3tcwlz2jyqc4bnox7a6pvzlrm6ficis7ympjol5ysvvbzkq._file
Verdict:
malicious
Similar samples:
0951d8c7c31922177bfac1849388cf7e947d6e51ccbf936c7edd1e6d7c44da9d
FormBook
203a57b86d7a9b486312d12e9bf9beab4eb116b5ab1aadc67ed503acb8bb0aa1
FormBook
29247c960e16e376148704241453b7a008a62c050e9d11b2bba111452acb7fa3
FormBook
4c23bde9d70af07e072c01489007afa4ba4c3672b168e2846f5c2b74c4a9c84a
FormBook
5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9
FormBook
6769e022c41fa821b705a29415f8ffd4be0fc7dc2619ef595e436637f849c0cd
FormBook
73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d
FormBook
9cd4df25010125f2ef3eeef44503b3c2b58435af758fe7213d053a60f018f3d8
FormBook
a1520b7826c6a1de6e82b8d24c1667436bb94dac97404959e2c368863a471f6b
FormBook
e6bdca558fb485e6ac7295d20f868902f2b790bc147fb3ab1e3a6628280d40f3
FormBook
+ 5'628 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-slw84ytve6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.domaky.com/a0u/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z aeb7bd2fc40a3cd8a62a8e8e8dc9db921ba4e81257126a9a43b340bb1964a94f

FormBook

Executable exe fff1c46e62b2f3a4e202e05aebfc1e7d72b8b3c540912fe18f4b97dc4ab50e55

(this sample)

  
Dropped by
MD5 75e0760524cdc1540f62b1749add1ef5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 aeb7bd2fc40a3cd8a62a8e8e8dc9db921ba4e81257126a9a43b340bb1964a94f
Cape
Cape
https://www.capesandbox.com/analysis/10255/

Comments