MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b0bbb9d0978499e58dcd5538ceeb8dd240faf8129a5e79e0c8ab0ac7d21e76d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b0bbb9d0978499e58dcd5538ceeb8dd240faf8129a5e79e0c8ab0ac7d21e76d
SHA3-384 hash: 0881f4ef9512aaeaa9aa1f25acd35ea3c88e1e9f775f3ce270ee44b4e7eedb0cb0281e769ab556d417a2e9f180b2ee01
SHA1 hash: 82e6c81ef00ab46c3732a8b972e8f417f75d557c
MD5 hash: 01e7272ff77147dadac1f60d1ce5c133
humanhash: mockingbird-angel-virginia-four
File name:QWY901.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:714'752 bytes
First seen:2020-05-01 12:34:30 UTC
Last seen:2020-05-01 13:50:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:6sZzzz25lB1wC1lcpbCa2FfPfVPm73kCbXXm9ItY:Hzz2DNFPsL9aEY
Threatray 6 similar samples on MalwareBazaar
TLSH 0DE428B3D34CC8D2CE951EB4511E9E674A60AF4FAEC4A7C809ECB477CB79165E8D0482
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: win04-mail.zth.netdesignhost.com
Sending IP: 150.95.29.34
From: order@smpharma.co.th
Subject: Attached T/T copy for payment.
Attachment: QWY901.rar (contains "QWY901.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VRW.3504.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 23:49:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmf3xhijpbez4wg42vjyz3vy3usa7l4bfgs6phqmrkyky7jb45wq._file
Verdict:
unknown
Similar samples:
26279831e4b7aa96d846a0a56275b8c5ebfafadb34062d82078c7771cefbd19e
FormBook
32ac62cebb74e1795b30f1668fb6bc9fe84bed0e4df9a78dfe6b534815dd0a0e
FormBook
5d3c65ee71f5ed252540489c16fa247131265123b6315730c4ab00810c5cedae
FormBook
94d6b59e8f4f8a6dcbd043808cd713d0122e6077c6182ecf486eae49198cc00b
FormBook
9bb6a76344a0906d9292209ede4ecb2b87bda68265397a1e854cf464e078ec5d
FormBook
ea481eac86e69fc04fa8bbd61dc945e0f5be7327b369df5483b14faf8bdfaf8a
FormBook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar be68d02acc0fce145750ed7b55a28ca9d1eb7ce2dbed11ec726ef8b56a2cd35a

FormBook

Executable exe 1b0bbb9d0978499e58dcd5538ceeb8dd240faf8129a5e79e0c8ab0ac7d21e76d

(this sample)

  
Dropped by
MD5 554afacff10982de2582ee0647fa24fc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 be68d02acc0fce145750ed7b55a28ca9d1eb7ce2dbed11ec726ef8b56a2cd35a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments