MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
SHA3-384 hash: 77617fdc2be5769672e9bd4bd872f9a6ab1201a5dbac55e66a56a0cf13b63ad963d026ba1e713dc9b0d392b8f5dcca29
SHA1 hash: 4bea4c46b11e0e096d0d9cf34cdab5b11b001d90
MD5 hash: 56c623aaef953d0c9e12d8dc1db68bf4
humanhash: missouri-michigan-emma-pennsylvania
File name:PO 19877.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:690'176 bytes
First seen:2020-06-03 10:54:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c30bc6e69598a9e79d9571eedd41ffa (8 x AgentTesla, 2 x Loki, 2 x FormBook)
ssdeep 12288:jo6a/b0kfLj8dG+6+Onu/SaWSDhrVaFxEZdgFUp1Z7tC0qgjI6w:XyNLjiOnRhS3anEXgY1Z7A0q4
Threatray 5'366 similar samples on MalwareBazaar
TLSH 52E4AF22E6E04437C1E3167D9C1B57B8B82ABD11392C7D4A6BE4DC4CAF39781353A297
Reporter abuse_ch
Tags:exe FormBook Outlook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: NAM11-CO1-obe.outbound.protection.outlook.com
Sending IP: 40.92.18.82
From: THE FIRE FIGHTERS <thefire.fighters@hotmail.com>
Subject: PURCHASE ORDER 19877
Attachment: PO 19877.uue (contains "PO 19877.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 12:40:28 UTC
File Type:
PE (Exe)
Extracted files:
294
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gc57ebbqks4s4sk3xvk7m7sdxdvpzzbqx4y5rkvergjylzidzw7a._file
Verdict:
malicious
Similar samples:
0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb
FormBook
157ef05047452109ec1552af00806f1469254bc14a5cc942e41180ee82d508a7
FormBook
1b7e04d537fb0ed215cf1d0d4445def97cae4701c1c889f4e94736e1814d9233
FormBook
1d1c9ee0b1adaa5a121fd70d332785395ad22538f9cdc7db44414c1604e28919
FormBook
1e1a825c158fefa17df9237a4be60bc99e1a2a42ded631c8636b6af668b1627f
FormBook
3527457b184139953c43be59287281eb8f797e9cc8f3e9d637362276fe4f83a2
FormBook
58f28dd7cc2c257f5ac8dec9111d8cf8942e1cf62bb8334f4922e4b124d4eab9
FormBook
8058effea9cbffe67d3cc69221eda22862586eecdb7c9409b4f9fd6eab6ea04f
FormBook
c28628e453851e95098e1706bb1d130a863b70abd4b5c316ea710f83ef68b0a1
FormBook
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
FormBook
+ 5'356 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-q6rfw55bea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.worstig.com/w9z/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

uue a0e0ddd35e515a6cc87a5eb5462c3cbb2b263d5fc33ba3a910b06b4e3f58cddb

FormBook

Executable exe 30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe

(this sample)

  
Dropped by
MD5 1dfabc735c938dcd84a4dbb25da8b70c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a0e0ddd35e515a6cc87a5eb5462c3cbb2b263d5fc33ba3a910b06b4e3f58cddb

Comments