MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d433633d08421004a24c04b8a6a05b9c19afde22e6869c82f9cbe6aaad568fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d433633d08421004a24c04b8a6a05b9c19afde22e6869c82f9cbe6aaad568fd
SHA3-384 hash: eb688ca655899cc51e382853b59f2280a0a0507d6fd4156d08741aa7f2e1c3ada149cd8e08e7bbe4dba8ba6a6f5cb765
SHA1 hash: f73191931305e8bfc05fe09e036e288fe3e45aee
MD5 hash: 79b4935f91bac1e001cc2e440259240c
humanhash: cup-river-oklahoma-mississippi
File name:invoice#08312020 (2).exe
Download: download sample
Signature Formbook
Create hunting rule
File size:822'272 bytes
First seen:2020-09-01 04:49:52 UTC
Last seen:2020-09-01 05:43:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:iQ2AEpX2lQK0VadpoSpNjPWYyf8TV3KdZfT9Ad1EVcJQN+uBI0RnterXZEW2acuq:it1a7hpNSz8sdZfZAPEyJ8+Knn68ac
Threatray 2'248 similar samples on MalwareBazaar
TLSH 6F05D013431D8B2DEC1877B9349000DCE2F16E86FF34E0D8DE4B71AA653A64EA5DD692
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: alnassar.com.sa
Sending IP: 162.244.93.110
From: Omnimetric Technologies Pte Ltd <sales@omnimetric.com.sg>
Reply-To: sales@omnimetric.com.sg
Subject: invoice#08312020
Attachment: invoice08312020 2.zip (contains "invoice#08312020 (2).exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53790/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42555.20528.911.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/456126
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d433633d08421004a24c04b8a6a05b9c19afde22e6869c82f9cbe6aaad568fd/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 03:32:20 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvbtmm6qqqqqasreybfyu2qfxhazv7pcfzugtsbpts7gvkwvnd6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
23b880c48fec41fa4fc337f0ecb3d9cd5ee8f71cd45448049a35bbcb85bb01f5
Formbook
2467572968320c67ea46c765d9cdae94d3887e44d7af7e29b88f1b0e51fa4c01
Formbook
27c2836a432ffef984ec91f36cd49097f0b01561bf3e2f3fde71cc5ecde70541
Formbook
33500d82b580ebcc34521dd70217ba0cf976d4708f6d9d413388aae64317b43d
Formbook
353e4fd91fe618f5c22c9cae00e7575e9b1914576ff7e332d03ca3e9f7dbbbbc
Formbook
4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9
Formbook
6612e640d15ed26414fc5c288b9bb7050db90517febb11d4b5145fb8d84441b9
Formbook
ad660d774f78137622d038976557c8782211dbfd39d2ff9a7a4bcc9279ba0f41
Formbook
b3423777b1bafbe661edd1f4d3d98e72fcb48394764ddeb57bb913b881cf9177
Formbook
ef19177bdff9d49a09dd7010e58fd81029d5f8e2d54abb053575604c2fc219ed
Formbook
+ 2'238 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200901-3k3eqlmz7n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d433633d08421004a24c04b8a6a05b9c19afde22e6869c82f9cbe6aaad568fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 724a585829d9c3fbcae767e43097a6d789073b5f32c0203db562a6560cfde5bd

Formbook

Executable exe 1d433633d08421004a24c04b8a6a05b9c19afde22e6869c82f9cbe6aaad568fd

(this sample)

  
Dropped by
MD5 8d27151f80468b74c84eb42ba9fb137c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 724a585829d9c3fbcae767e43097a6d789073b5f32c0203db562a6560cfde5bd
Cape
Cape
https://www.capesandbox.com/analysis/53790/

Comments