MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b62f1799021ec3671db2883f808f73b3ba1970abb8c76eff529f2b32250c333. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	2b62f1799021ec3671db2883f808f73b3ba1970abb8c76eff529f2b32250c333
SHA3-384 hash:	a1f9cf8ceed1cfa30439981c706c964f977e80043419b44fa6e6a07d484f552c1508c7de1e57615e25fc8e22f6c4a213
SHA1 hash:	6c2a832c4ae1a3b4951aacf96f64f6c55ee23274
MD5 hash:	655df684fc05572dad326fe54004624c
humanhash:	oxygen-eleven-oven-carbon
File name:	YFAI Tender drafts.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	343'040 bytes
First seen:	2020-05-27 06:57:22 UTC
Last seen:	2020-05-27 08:16:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5fd94ccd1dec1c5baf6be7519f2d9282 (8 x Formbook)
ssdeep	6144:EkJSjYIgB7T//bbyJS4UZtidDzTF9aS4NAtC/jIPNFE7Dkvv7PmXDzdkD:3JYtgB7r/bbSGMdBsS4n2FvvvzmzzdkD
Threatray	5'113 similar samples on MalwareBazaar
TLSH	E274BF36B928423CDA3F91747DC38EAA8EDA59D3902F4C96DA4CD540CA2D7C50C972B7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing Formbook:

From: "Marc Weinmann" <marc.weinmann@vem-ltd.com>
Subject: RE: project from YFAI m
Attachment: YFAI Tender drafts.gz (contains "YFAI Tender drafts.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

71

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Formbook

Status:

Malicious

First seen:

2020-05-27 01:25:29 UTC

File Type:

PE (Exe)

Extracted files:

7

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Verdict:

malicious

Label(s):

emotet

trickbot

Similar samples:

00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35

0d271903774ae9467d80cad6fcaec4d2ea4653b8eb4c28e0a1c7dbe0849ccd01

2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401

5dd8b3d4a4968fecce4bdee9ef9a29df44fa7ce4ad73002ba4dfc5ac14fa9c41

5f09e9c7496cd8bfbb33147b3fea11791894235021e488eb17dcd582c9dae0b1

9c1501fbd2eb669ccbe4a41e37770191e954e6f0dd3e0a954a0670a91df3917c

a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5

b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893

ceee0c8772c6b5a2cff7d9f3bc824c088f3c7d034b9898c74f79e11b59210257

e8edf009c1c82f348ad925f7f9a34b4f241d52240c6cb43ab4536c4b363d5322

+ 5'103 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-vt8wznbxtn/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Deletes itself

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.domaky.com/a0u/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 452d492a2c16a00692ee46024d317cb88f36a06ba858b656e3a175828b393407

exe 2b62f1799021ec3671db2883f808f73b3ba1970abb8c76eff529f2b32250c333

(this sample)

Dropped by

MD5 e9b29bc0038e931bbe53ab53c9249222

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 452d492a2c16a00692ee46024d317cb88f36a06ba858b656e3a175828b393407

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample