MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4
SHA3-384 hash: 0ddf35e0405aab462397de3361fedb5c3aa82827076fbfa11a5f7037999dedc4be17fdb4a4dfd7d51b5c002e76cccd30
SHA1 hash: 81d40efb20f6dbfdb8e14a87c57d26b5dc9217d9
MD5 hash: d0b89f322dfa77b6a13aabf7f7984f87
humanhash: monkey-uncle-july-india
File name:order SEC.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:310'272 bytes
First seen:2020-05-22 07:17:39 UTC
Last seen:2020-05-22 08:02:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f24512e90289e19781909bb210331dd9 (3 x Formbook)
ssdeep 6144:QTWIlh+SeXtapqQxcKeSgs8+c0ucDN89CSsdRNSNtRXDzdke:ZIloSeX4EQxESuDcJ89CSoORzzdk
Threatray 5'093 similar samples on MalwareBazaar
TLSH 3164BF32A978953CD53FE1B0B9C3DDAA8DD904E3A06F4C8DC92CC265D66C7C185A7236
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.huttprimax.partners
Sending IP: 162.241.215.47
From: Helen He <dinamikakarg@post.com>
Subject: Re: order specification
Attachment: order SEC.zip (contains "order SEC.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 07:08:37 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0abe72d915f50b2a21fc3cafc52152db81bef2a16be4ccde68e64942bf927af1
FormBook
0d271903774ae9467d80cad6fcaec4d2ea4653b8eb4c28e0a1c7dbe0849ccd01
FormBook
1621dac1140afd3e3eed4b0f4ab0a93e81cd56c76e7532a0cc03d0b5a8dae04d
FormBook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
FormBook
3a7e2e98243c188fbda3734b22856c30febb41d1f7e0ddbc034906288aa72dae
FormBook
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
9c5d88a1518cd310e763757d9acd267ed5741d6c79036e1053381729a0d700ca
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
f3f3cda95f4d655f189381268676beef7ab70ed8355ff178abcad416c71adb22
FormBook
+ 5'083 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-gzgpgvht36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.tromagy.com/g8u/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 1f7fab26098e805c651f1c6fdbbfb99e1d1de4cf0c4564d0ff460aae879d815a

FormBook

Executable exe 228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4

(this sample)

  
Dropped by
MD5 a191e2b46788dc477b0c2bc8a52ef502
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1f7fab26098e805c651f1c6fdbbfb99e1d1de4cf0c4564d0ff460aae879d815a

Comments