MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f
SHA3-384 hash: 014a197de0d4dcceea5c9b347392c730769e4243c05e6c8772800b6a53dbc028c3353707b0abad53e197772e9a567c02
SHA1 hash: 966c9b9386f9500fa53484063631381d83d3a913
MD5 hash: 6fb3c73fe1dec475153fdc631ab6eb04
humanhash: fillet-sixteen-fifteen-fix
File name:ORDER I 3486.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:318'464 bytes
First seen:2020-05-27 07:59:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:19M1y3/wzf4OnWnbK6aTbzlmA8d8Li5uuvKhRNx3IrHjLk+:fMUPwz4O+K6agA855uuvIdIrHjLk
Threatray 4'888 similar samples on MalwareBazaar
TLSH 17648D9C721475EFC86BD4769AA82C64ABA034BB530BD347991351EE9A0DAC7CF140F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Rose Larry <rose.larry@qualitech-solutions.cam>
Subject: RE: ORDER INQUIRY
Attachment: ORDER I 3486.rar (contains "ORDER I 3486.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBK.30038.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 08:33:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c
FormBook
0f9158444d5e5387bfc619b035fbc31625cc933643f3eea063eca29cc33455ef
FormBook
161ab2a24a2f0a71e1a50d1110b3ca25ec1a53c1412c2235db94a871bc3c9563
FormBook
4b83753be005d3668592559d6fe011fda590558f730140f6c303714ac8fe0d93
FormBook
538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68
FormBook
65a02f6b451bb5ccf5d443b7976da84cb80812e24a909d1038423bfe5ac5e2b8
FormBook
8b9bbca00335521a8fa45d5abf271ccf0eac27d70e44140355f7af671c3dbe7e
FormBook
986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d
FormBook
de55a1b3e711c74c00998d9c4cb0f5da9672b109e2f362ac55f4a9f4033ffbf7
FormBook
e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d
FormBook
+ 4'878 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-kbne7d3816/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.govaj.com/bd2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 7bae5ea79d4c75b7302852713f7436062834e25ac8acbfae7eda650f15908b23

FormBook

Executable exe 2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f

(this sample)

  
Dropped by
MD5 2004748072cd62bc32a724fe6cc791f2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7bae5ea79d4c75b7302852713f7436062834e25ac8acbfae7eda650f15908b23

Comments