MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 391a7e0172d79865fadaf54777398f0cfa129ae9fa39ffe5d40870837f791eb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 391a7e0172d79865fadaf54777398f0cfa129ae9fa39ffe5d40870837f791eb1
SHA3-384 hash: 535ae56ea5f30bb09cd1d512650d232ace9ecccf0e737976a55730951712fedd29bc0affdb0f08ab73c4f9afd8a2051d
SHA1 hash: f3f0a789dd2d1a528f4a159b8a1429461f130cff
MD5 hash: e0f0b5e501ddd112944536514eccc882
humanhash: alpha-hotel-fanta-massachusetts
File name:RFQ20200603283 QUOTATION REQUIRED PDF.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:289'792 bytes
First seen:2020-06-03 10:12:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:1o0QNTx+Szs0JlOI7BcM/OTI7ki1KgeK+mDLtt4/Tob:/Jkv4OOT0ki1K++mDLt6bA
TLSH FC54CE40B9A9854FD89A03F7C5FB6D1403769D13A282D68D3E8E71D527237EF0805AEB
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

From: maurlce.clerc@yahoo.com
Subject: QUOTATION REQUIRED
Attachment: RFQ20200603283 QUOTATION REQUIRED PDF.r00 (contains "RFQ20200603283 QUOTATION REQUIRED PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 11:00:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=henh4als26mgl6w26vdxoompbt5bfgxj7i477zoubbyig73zd2yq._file
Verdict:
unknown
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-2a8tr8tb66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.masionlex.info/i60/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

r00 a1e1f20f6ceaa8d29aa7afd7b4da8cb4aee9571c539fb377aeeaa898b021fc74

FormBook

Executable exe 391a7e0172d79865fadaf54777398f0cfa129ae9fa39ffe5d40870837f791eb1

(this sample)

  
Dropped by
MD5 b6ff2d622f4fece142955a0b35bc11bc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a1e1f20f6ceaa8d29aa7afd7b4da8cb4aee9571c539fb377aeeaa898b021fc74

Comments