MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29148cc306f09fea4a92bcfd7deed08aee01c4d63067a2a58e697184ed081917. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29148cc306f09fea4a92bcfd7deed08aee01c4d63067a2a58e697184ed081917
SHA3-384 hash: 00e0b8d679b66bbc4b5b5d6b8c978cd91d033b5c04bc0e199d7d51ee4e515a451611270cbe2abffc39d214713427ec9f
SHA1 hash: 39cfd01406c8d11e228e56fc41758af2ab960d16
MD5 hash: 6f77e5a4e151db3bef61d22cc14f8143
humanhash: washington-friend-pasta-wolfram
File name:TNT CONSIGNMENT.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:792'064 bytes
First seen:2020-05-12 08:58:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e6e98a800af710a823c84ca54e3cbb4 (14 x AgentTesla, 4 x Loki, 3 x NanoCore)
ssdeep 12288:d3IBD2b65mJPljOYeL/ZJVmxq2Wja37RjQof/ay3jcnOp9tg9h2vgJyHn:dY5Wtqhz4Q0P3ayTcnn9Z
Threatray 4'918 similar samples on MalwareBazaar
TLSH 00F4B066F2D04C37C1776A389D1B5658AA3ABE103E28994F6BF81D0CAF3878135752D3
Reporter abuse_ch
Tags:exe FormBook TNT


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail0.67.menxtinuon.casa
Sending IP: 159.65.156.203
From: TNT <tnt@67.menxtinuon.casa>
Subject: TNT CONSIGNMENT NOTIFICATION: AWB 10623-24
Attachment: TNT CONSIGNMENT.gz (contains "TNT CONSIGNMENT.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Fareit.cc.21246.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 02:50:18 UTC
File Type:
PE (Exe)
Extracted files:
265
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fekizqyg6cp6ususxt6x33wqrlxadrgwgbt2fjmonfyyj3iidelq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
a85f53a7ad2f536d245e47535007f2bceacfa10f08d7f3f6568781dd1794caa0
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
bf58aecacc268c49d707512236a42c80cf096b24850c3096eb056f662ecbe2e3
FormBook
d164a96bef7f5762ed9e75ddb21cfd312cad76d5116a125e4d8790118375846b
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
f99691f533ca56e970f2be2d26ea424ac50bff2aa2bfd43482d0a166bece71eb
FormBook
+ 4'908 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-w4c86yx2cj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.elomafus.com/pc2/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

710b7f5ab03b0873ce6464fe714b03d2

FormBook

Executable exe 29148cc306f09fea4a92bcfd7deed08aee01c4d63067a2a58e697184ed081917

(this sample)

  
Dropped by
MD5 710b7f5ab03b0873ce6464fe714b03d2
  
Delivery method
Distributed via e-mail attachment

Comments