MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c17fcd097bdf870469b6ae65ca22d42ed57f250d411d9123a259146c8056362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c17fcd097bdf870469b6ae65ca22d42ed57f250d411d9123a259146c8056362
SHA3-384 hash: 43108737b373b86aa3b5ab2497b6bd5d827ca95bf0f6d605cd447799cb5f86cd36ef44b1eb5cc30db1a4f73ae51e6511
SHA1 hash: 6ca475264b292763175e387963df38f830697102
MD5 hash: 2e2ec2d292d76448efa9f3387f445261
humanhash: maryland-saturn-black-alpha
File name:Invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:328'192 bytes
First seen:2020-05-20 08:44:35 UTC
Last seen:2020-05-20 09:48:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:+238/oN1ylcqM01p90rCcE7fCY+/G9y5NQXtCwGtMAq9JmY9x3KsYdCO:+238/4CTM0b90rCB2y9zd7mY9x3KsYdr
Threatray 5'316 similar samples on MalwareBazaar
TLSH 3864186C3258359FD45FC2B5CBD41C2BA650A037532B7E1688D7039D9B0EA83FE611BA
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: aktywizacja.com.pl
Sending IP: 94.100.28.181
From: Arnout <handel@aktywizacja.com.pl>
Reply-To: handel@aktywizacja.com.pl
Subject: Inquiry
Attachment: Inquiry Lists.rar (contains "Invoice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.47339.30231.475.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 03:48:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 30 (73.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dql7zuexxx4haru3nltfzirnilwvp4sq2qi5ser2ewiunsafmnra._file
Verdict:
malicious
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
2427c640fc5ca5313c85c5a956571afdb1543d5964d3ce536b61262d73a9eaaa
FormBook
2a11f8f83b6c7fc23742f76d10d013aef543026557ddcd62879a638f6fd00c52
FormBook
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
FormBook
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
FormBook
94b89dec963ec5d8d9440acb8690d79494187187d36d0f964da12bba0cc1cad3
FormBook
9847005465ae681d1d9533697106492027a1d55b64b0ca1b6f2a79730a5140a4
FormBook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
FormBook
bd7c17b39ab5f775700bae65b0930ae6b18e674036b6939c7264a9e7f14637ad
FormBook
ee21511b610cd2a154c85c04c0e3d88f82b0ee835afd51247a1a7e97900cd733
FormBook
+ 5'306 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-symasx7zpn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.salomdy.com/rck/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 8c219a602699e90b36fee07846dde9ff44a93fad6b60512b6604d43f1254e1e5

FormBook

Executable exe 1c17fcd097bdf870469b6ae65ca22d42ed57f250d411d9123a259146c8056362

(this sample)

  
Dropped by
MD5 3d76662b8e2d5d21fa226fcc020b58a8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8c219a602699e90b36fee07846dde9ff44a93fad6b60512b6604d43f1254e1e5

Comments