MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 370293d95666a952ba140489c797e3c7d82a92cb400e360f7743075aee04ca10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 370293d95666a952ba140489c797e3c7d82a92cb400e360f7743075aee04ca10
SHA3-384 hash: 40347566ead638bf048d98751c3f158d2d5b0925845ec165fb778ac7d85f08c2b4141367fff9a6c388e06a33b327e1dc
SHA1 hash: d0064d5dff2613aa21a8229492c2c3149ba7ec1d
MD5 hash: eb5dd6ea7ec8c4897c3031824637414c
humanhash: purple-grey-tennis-happy
File name:Drawings & Related Specifications.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:512'000 bytes
First seen:2020-08-18 12:00:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:vuQ16pHy86FQNTPmjE79nW31TMgTCimkrDqs9gWmKXsD2XN4:116pHy2NTP99W3Sg2ilT9ynu4
Threatray 2'240 similar samples on MalwareBazaar
TLSH C0B4E13237A9DA15D27E5736CDDD600403F9B803AA22DB6EBCDC229C49127A247637D7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps26145.inmotionhosting.com
Sending IP: 104.247.72.208
From: Annabel Mason <a.mason@texceltechnology.com>
Reply-To: Annabel Mason <saleps@dr.com>
Subject: LEAD TIME // Price & Availability // UR CONTACT US
Attachment: Drawings Related Specifications.7zip (contains "Drawings & Related Specifications.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47794/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/370293d95666a952ba140489c797e3c7d82a92cb400e360f7743075aee04ca10/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 12:02:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g4bjhwkwm2uvfoquase4pf7dy7mcvewliahdmd3ximdvv3qeziia._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1b114b7614a73e7b1b75355a4904a7314a91c39ec385a246a67624dfc11b7b8e
Formbook
375426a8a107b6dffc4876f9aa54782cee5f767dba75fee84084490deb399b46
Formbook
4077e5eeadfc447b88c36f638c37adc77ee35766a737e4a7aca64e61f2ef3d1a
Formbook
4a4a387983341342182c18e3f269ba519bb44f457733f739b90d4e4567d51d02
Formbook
510b24a8ddcc1a99925f07d8ec0b56489930147a95810b787291b3396bd54a7c
Formbook
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
Formbook
9963cb9f95312d222c99fac596b5bf02d81ace63ebde79c37e2312d3e2ecd32f
Formbook
b2d8df96514495cb6b3fe66a6d61e70b8b6e92426910db93f7ae521be4fd2762
Formbook
d4224f6f5b734de53a5a7e5f5675b05f9a808deb058e64d00859146f8255594c
Formbook
d9ba192982200a73ca54ce3c9f10c43a185e0d99864eee685bc7ba70c311110a
Formbook
+ 2'230 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200818-a6qyn6al86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.magento-tracks.com/cvd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/370293d95666a952ba140489c797e3c7d82a92cb400e360f7743075aee04ca10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c6a43c729575d33894b66ed9072add24ba50d9a48646343956f724c2403ae861

Formbook

Executable exe 370293d95666a952ba140489c797e3c7d82a92cb400e360f7743075aee04ca10

(this sample)

  
Dropped by
MD5 712dbe7efedc036a49def570f28e212b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47794/
  
Dropped by
SHA256 c6a43c729575d33894b66ed9072add24ba50d9a48646343956f724c2403ae861

Comments