MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067
SHA3-384 hash: 9ace51f82117e70bb0b45234c5895c5aa45f0b1999d28548a21ed0e8b33731cb5268394484c2b506455e585884065785
SHA1 hash: fd742a3ac272dfef13ac93e9d0a9ee45f3e4e048
MD5 hash: eccf9e17e707699c7cffcc212bb7e7cc
humanhash: table-bacon-five-cup
File name:payment copy.com
Download: download sample
Signature FormBook
Create hunting rule
File size:1'025'024 bytes
First seen:2020-04-02 06:56:41 UTC
Last seen:2020-04-02 07:48:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:PHOS/q+zVvGErwnhRwslIds9U3mOq7AZVTgZ2V+zVvGErwnhRwslIdsL28:WvWihRwsGouJq76pgZKWihRwsGj8
Threatray 5'113 similar samples on MalwareBazaar
TLSH 8825E16853AC4D7AD68F0378D0A901D0A7F19117B18FEBAE68467DF95E4F3D2E806183
Reporter abuse_ch
Tags:COVID-19 exe FormBook


Avatar
abuse_ch
COVID-19 themed malspam distributing FormBook:

HELO: raisechem.com
Sending IP: 155.94.211.4
From: sales@raisechem.com
Subject: Payment Assistance Due To Covid-19 Pandemic
Attachment: payment copy.iso (contains "payment copy.com")

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject3.37378.31410.28613.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 07:35:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 30 (86.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fppaga3tm6f3fxysepgt4pcop4uzfyyhhhommo3iqnupakqqabtq._file
Verdict:
malicious
Similar samples:
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
FormBook
2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9
FormBook
5605f8e6000402125426e6f6dabd257cf299aa6b179b9ebde2db059aa19e5d12
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
FormBook
c1b2a36d08dfb9bc18d53112299e6cef0c5057885918a4485b8f1b87a20d709a
FormBook
c99fc7455ba8df7d54e74b20d4a3db4ef2e29bd73309119a24cc46f28122697e
FormBook
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
FormBook
eb3e94888d5e945faf0b570acc1b2a4652f1b92940e8ac1cd62ff756d39aa1a0
FormBook
ebfc26187e0b0ad6924461b1f2476321c53b5a23fbfe246e3ed5a475a1ea5678
FormBook
+ 5'103 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

iso ff0eb718e5edcd46894e57298e33bc06055f302ebfb3b8048e6a5b703621be94

FormBook

Executable exe 2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067

(this sample)

  
Dropped by
MD5 9eb1d60f17a6242cbb455b54714e2ee4
  
Dropped by
SHA256 ff0eb718e5edcd46894e57298e33bc06055f302ebfb3b8048e6a5b703621be94
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments