MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f014ffb0f5d6c1d60604f77036406bab647d0eec541be614a604160c202c3ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f014ffb0f5d6c1d60604f77036406bab647d0eec541be614a604160c202c3ab
SHA3-384 hash: ce33bbe97e0b83652d6c3b9aaadaf3eda5a8c21f3587f705c5781f33256df282e9b43aa10fc672a629c4a58ff7acbddf
SHA1 hash: 32caecc44c356c2ee5c15118970cad044505a428
MD5 hash: b2bc3e33ad2f8f724d45f216ab002f6e
humanhash: network-twenty-mountain-oklahoma
File name:Shenzhen.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:253'952 bytes
First seen:2020-05-11 08:19:08 UTC
Last seen:2020-05-11 08:58:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:VKkTN7+ik18jvM4fdJ5tRj3RoqXT7pDio0Crxm0Ziu4R231uKHl2dZH:VZTY18jplJ5D36C7p+o19ial9Hs7
Threatray 5'109 similar samples on MalwareBazaar
TLSH 11446A3D29FA232BD270C1F5CFD6C46BF154E4BA7162193A99A35352962394728C323E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: colorntouch.co
Sending IP: 111.90.141.162
From: Robert Cosmin <cosmin854@colorntouch.co>
Subject: RE: RE: 0322/PO/GEN/IV/2020
Attachment: Shenzhen.rar (contains "Shenzhen.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisB2BC3E33AD2F.18389.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 04:44:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4au76yplvwb2ydaj53qgzagxk3epuhoyva34ykkmbawbqqcyovq._file
Verdict:
malicious
Similar samples:
11892c93ce6ecc668a92bcbb2e618edbc40f87cea8938e2dbe7061cbc6d1f689
FormBook
163065b27e36ce19e815d862a46534b6b7a048be46562ae48c3811fb35fa3338
FormBook
2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067
FormBook
2ed611befc2af97a0bf7bada7f7b53d4f625f99620983252455e675d22021bc6
FormBook
95c37518f5a88778d1faad771fcbdc5d1a0e816b9e9b8cd7763a258f5445d79a
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
9f2db3c39e19066111590682924d0c124e83b13c1acebca4059722d8e7fc649c
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
f4c535616a04819e9553cb3dbac66db0021065fb89a5e5c799c0b4eb301fb582
FormBook
f99691f533ca56e970f2be2d26ea424ac50bff2aa2bfd43482d0a166bece71eb
FormBook
+ 5'099 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-gdpjq8sn5x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 6e66081aba851d8142e6649cba13a45cf2d73d1f70f56d60f0df34a3b309bf5e

FormBook

Executable exe 0f014ffb0f5d6c1d60604f77036406bab647d0eec541be614a604160c202c3ab

(this sample)

  
Dropped by
MD5 04a3d4f52eb7be9b343352aa6e78d6cb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6e66081aba851d8142e6649cba13a45cf2d73d1f70f56d60f0df34a3b309bf5e

Comments