MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9
SHA3-384 hash:	59b33f2445af3920128f03fad1284e55b6b2c51c811cf3b8521ddcef8bd23cf8e0afcd24172e9ac1361e97d407bdbd47
SHA1 hash:	4745737dde241e42470a73303778e2ba37a6e761
MD5 hash:	15fc2ccb48e28c2001728c3b92022e3b
humanhash:	lamp-fifteen-bluebird-west
File name:	INVOICE_#24.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	406'016 bytes
First seen:	2020-05-07 06:46:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:by616mECFWe2KN2aPDLvCCGZyimTrNME6C4o0eR8vqKxBvdg:by6TXz2KNlfCX2T
Threatray	5'309 similar samples on MalwareBazaar
TLSH	B2848C9D322C72FEC467D4728ED8ACB4EA607476635B53179023459EAACDD83CF248B1
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Brian Robert <brian.robert@qualitech-solutions.cam>
Subject: RE: AW: Payment Order/Invoice
Attachment: INVOICE_24.rar (contains "INVOICE_#24.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Razy.552185.31306.8000.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-07 07:35:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

1

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eczhy46wym34sv2zyipafyphsx5x6b2bhzdpau7g44umlxrufxmq._file

Verdict:

malicious

Similar samples:

023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c

0f9158444d5e5387bfc619b035fbc31625cc933643f3eea063eca29cc33455ef

161ab2a24a2f0a71e1a50d1110b3ca25ec1a53c1412c2235db94a871bc3c9563

2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f

538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68

65a02f6b451bb5ccf5d443b7976da84cb80812e24a909d1038423bfe5ac5e2b8

8b9bbca00335521a8fa45d5abf271ccf0eac27d70e44140355f7af671c3dbe7e

96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487

986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d

e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d

+ 5'299 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-2cpk5pdgsx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.govaj.com/bd2/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

dbc105b643efe591d574672d5c5b7351

exe 20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9

(this sample)

Dropped by

MD5 dbc105b643efe591d574672d5c5b7351

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample