MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fc8a3262a1c12fd2ec5ffded3e5b8f83a14ebcbb1313e73900534ae42cc1ef8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	1fc8a3262a1c12fd2ec5ffded3e5b8f83a14ebcbb1313e73900534ae42cc1ef8
SHA3-384 hash:	ec32873ba05df4e8d2fc1876810538bb5f500e0b0160f91c9ef747bb960c0675ef80bbacced6eaa1d9666950b96bef6f
SHA1 hash:	ad81945da478bdf8a24def0fe1a3dd210a9052c1
MD5 hash:	a49ea312c0237b3ea373035fe62f476f
humanhash:	minnesota-romeo-seventeen-island
File name:	SHIPPING DOCUMENT & PL.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	623'616 bytes
First seen:	2020-10-22 07:50:12 UTC
Last seen:	2020-10-22 13:32:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:vhA9A1GKZHNYPzodEwUIb8PiS6oArnJ4n168GaFCWiY4MxKKsZ9fG:ZIA1GUKzodEdIb8PcA16PaF5zlgKqG
Threatray	2'650 similar samples on MalwareBazaar
TLSH	11D402217295BB33D2BE8BF621AC4509D7F1119F6271EA185CE276EB64F0B019F90E43
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing unidentified malware:

HELO: dijlashipping.com
Sending IP: 103.125.191.170
From: JITENDRA MISRA<info@dijlashipping.com>
Subject: RE: SHIPPING DOCUMENT & PL
Attachment: SHIPPING DOCUMENT PL.rar (contains "SHIPPING DOCUMENT & PL.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/74566/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1fc8a3262a1c12fd2ec5ffded3e5b8f83a14ebcbb1313e73900534ae42cc1ef8/

Threat name:

ByteCode-MSIL.Ransomware.TeslaCrypt

Status:

Malicious

First seen:

2020-10-22 04:03:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d7ekgjrkdqjp2lwf77pnhzny7a5bj26lweyt444qau2k4qwmd34a._file

Verdict:

malicious

Label(s):

formbook

Formbook

143848b6d47c7c571df87a7dee1892aa571b94fca0d9d60c6b7a2141f644950a

Formbook

41e247af1c9e83534cd1a251b618432759435c3f9c9dfd2c8760f712a6ccc5a4

Formbook

7843242690547cf0b4ebea118783c903b99c3a211f1775db3cf24b09fbe2454a

Formbook

8e11fa75359ffe3024bd4f57a0f3583db152f8fea0d4e5621bd5d058b0b402a3

Formbook

a4d4e093896e53df94a4ffb14632be70329334ac705925a975fa499ac7ee0a89

Formbook

a9675f768840e844de5923c2319cae51ba47ca5eee5c50c58418d274d5985520

Formbook

b8e4dfdddae3c40ef710797605631573fe5689ae296637a411a88f8f3c1d7389

Formbook

d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c

Formbook

eecabbdec29294f055c109660c94db3de0ce9187461ea6f18639cf9c34883e70

Formbook

+ 2'640 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201022-2x8qhys6hs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.onedollarreports.com/ga4/

Unpacked files

SH256 hash:

1fc8a3262a1c12fd2ec5ffded3e5b8f83a14ebcbb1313e73900534ae42cc1ef8

MD5 hash:

a49ea312c0237b3ea373035fe62f476f

SHA1 hash:

ad81945da478bdf8a24def0fe1a3dd210a9052c1

Link:

https://www.unpac.me/results/c3c95cd9-4f96-4d38-aab4-bef265211836/

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/c3c95cd9-4f96-4d38-aab4-bef265211836/

SH256 hash:

e7cb27fd31f4aa4c362e5fe478a31171535f42ffccb45b37fcc5e0beaabeccde

MD5 hash:

759b46f7c0b0e12f10f9ff8f19b3abad

SHA1 hash:

c4fa68db431626d1b2600e07dba9d6c5dde0fe1b

Link:

https://www.unpac.me/results/c3c95cd9-4f96-4d38-aab4-bef265211836/

SH256 hash:

73f076bc921d9938f0138a0f7dee0607dd676b051459e617919ccf3e72d892fb

MD5 hash:

cbde9fda97b44b27574ed1e5f23d47b8

SHA1 hash:

7a212755b64f48a0b2e6b6835e41ab76959ba9fc

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/c3c95cd9-4f96-4d38-aab4-bef265211836/

Parent samples :

a9675f768840e844de5923c2319cae51ba47ca5eee5c50c58418d274d5985520
41e247af1c9e83534cd1a251b618432759435c3f9c9dfd2c8760f712a6ccc5a4
b8e4dfdddae3c40ef710797605631573fe5689ae296637a411a88f8f3c1d7389
eecabbdec29294f055c109660c94db3de0ce9187461ea6f18639cf9c34883e70
8e11fa75359ffe3024bd4f57a0f3583db152f8fea0d4e5621bd5d058b0b402a3
115e12fb613c8200563e60ee8acd822733772ebac21e27f203a7342043442d8a
1fc8a3262a1c12fd2ec5ffded3e5b8f83a14ebcbb1313e73900534ae42cc1ef8
51fc4c13e2fa607113d821aaab2ba2e96d10097d69698ec3facc71b8b751e068
61e2669d1d6be1a20f73da4171233966f8903fa41113364c66d747c8d1e7a39a
43c2d2c8e89ca3617e9521d6218b2d3c5f9e29b41b591622c658471b01b718f9
420964e0ddf92963742717a6101a8a1ba18882ad7187a5cf0b586d717b87dfb7

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.