MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bfdb7e4f0aadba330b6017c2608570e791bfddff789d128ecb5ca9a5a06e6fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	1bfdb7e4f0aadba330b6017c2608570e791bfddff789d128ecb5ca9a5a06e6fe
SHA3-384 hash:	e543bff4e03c4fa3b99fad615003b329889f2435b6665b858ec7566606a632a225c578daad3620f880e816fa9a1a3206
SHA1 hash:	2a3fa9d252528596b45fd0bc69ca3e82648a2709
MD5 hash:	8410b850e0f60c49b8a2e0e201e1c74f
humanhash:	nebraska-mirror-sink-fourteen
File name:	Quotation Request 18-08-20 PDF.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	388'096 bytes
First seen:	2020-08-18 10:18:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:51qRER+yrl+UciCCvnbaqPZDOskuPIeZ97rjXfwR4Wdd0J6SktBn3vHhOAdZ8wPC:quRDB+UciC8baqPZH5PIeBjWVyjktpPi
Threatray	2'240 similar samples on MalwareBazaar
TLSH	4B84F168B554B29FCC3E8E7A98580C7457B06177234BF2439C5358EA9A1DAE3CF049E3
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/47676/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Launching the process to change network settings

Launching cmd.exe command interpreter

Setting browser functions hooks

Forced shutdown of a system process

Unauthorized injection to a system process

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1bfdb7e4f0aadba330b6017c2608570e791bfddff789d128ecb5ca9a5a06e6fe/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-18 04:42:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

3

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dp63pzhqvln2gmfwaf6cmccxbz4rx7o766e5ckhmwxfjuwqg437a._file

Verdict:

malicious

Similar samples:

442452b82edb2b18431c296669c78df1c88b210775e9a9b5d7726a1092a8fc6f

66a51591c6b5e01a8aa9f8db61e81d2508b3a6535d7c7a53c501f35093b28fa4

6ff25388a91cbed0a11467e592e39e34c54de49d61876a2a201554e67c5b8cb4

854146ab0835f912d31018649e0f97ebde7a2267ec1085a36bc0dc73f5b6f2a9

8fa9dd16bb791bea50566208c8b216acc3c41e5c65495f34c3dcf99c595fccc8

d6cfa16240c572c1d310d0e3f9a3a48254103dbfdaf47d08b31bd255a6022d50

db31ede125999d44d9c886d76eb8d5c5ee280f17130e3e3138bf1f76935d1b99

dda62be10b5d6c904c056f244d721e7dfc5bd60d033992a4763fb1105e0c334f

ec34c3db0d2c865486e52760c0d35dab95adcb3544f2e03f5023495d112d64ba

f3a30108ab40b7f31ad7ad191bb41bd3ad148d09597705c1ec0bc0352d18c29e

+ 2'230 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat persistence spyware trojan stealer family:formbook

Link:

https://tria.ge/reports/200818-3wrjs54eaa/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.funpexw.com/kdz/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

r00 d25d464d2f5c9697a54eafd37e42ca8da17683aa60d80cdf97463d8d6f8cfa9e

exe 1bfdb7e4f0aadba330b6017c2608570e791bfddff789d128ecb5ca9a5a06e6fe

(this sample)

Delivery method

Other

Dropped by

SHA256 d25d464d2f5c9697a54eafd37e42ca8da17683aa60d80cdf97463d8d6f8cfa9e

Cape

Cape

https://www.capesandbox.com/analysis/47676/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample