MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb
SHA3-384 hash: c3c1515f33f72441063016c63c88831d0fba2c4dd6b8048edd67e4c640a953b3fd9bbc065c0e348865a6002819f0aa52
SHA1 hash: 63c11f8a26e69e5a0f1a19c2115eb8be8f57cb2a
MD5 hash: 3b946d9c1c8d6586540fd217f44201dd
humanhash: blossom-minnesota-idaho-maryland
File name:order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:700'416 bytes
First seen:2020-05-25 14:16:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e69d91ce4b5556e616458c5a122c112e (4 x AgentTesla, 3 x Loki, 2 x NanoCore)
ssdeep 12288:cC1TxYROXXH+NrZEb3StxjYr5C9N1Yf7i6U6V15iaJMc:1tPHeO3q21C9T4i6U6V153M
Threatray 4'820 similar samples on MalwareBazaar
TLSH 26E4AE22E2E00433D1B3567D9C1B9778E836FE51393869863BE49C4C6F39381797A297
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server0.milltrade.pw
Sending IP: 192.129.213.99
From: Stefan Bärlund <sales@milltrade.pw>
Subject: URGENT ORDER INQUIRY
Attachment: order.rar (contains "order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Injector.EMBN.20557.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 14:29:24 UTC
File Type:
PE (Exe)
Extracted files:
263
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
06e0e3da562a627b84f328a76d70b62326e2b5a82fd28bf943b6d3dfd1f26cb7
FormBook
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
FormBook
498fbde70a7375ef095b51ad4ad72798d26a2d28dd82e155e9afc31e95773bea
FormBook
5b5dcd2dd420cb6a9ef69b94fb8340145ca859897285ef38d87b38b1757af463
FormBook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3
FormBook
9295ce88660ed117b7cfff0886232a51dc6492bf6100738957bf93fabdb74bb8
FormBook
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
FormBook
e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6
FormBook
+ 4'810 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-xh3kjdvrss/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.worstig.com/w9z/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar f99fcaedc0640fba0f23d2e558a0e3404d9b4e8ff312919a4d7a6683d3b41726

FormBook

Executable exe 0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb

(this sample)

  
Dropped by
MD5 9ef057b1d44424d17662adc9bb7d0671
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f99fcaedc0640fba0f23d2e558a0e3404d9b4e8ff312919a4d7a6683d3b41726

Comments