MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ebe7729fe5d80990333d4c0255af3b23e4ec2c1f61b9ea563eeb3e050943735. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	3ebe7729fe5d80990333d4c0255af3b23e4ec2c1f61b9ea563eeb3e050943735
SHA3-384 hash:	0cbf1bf7c0f51c59ee42f20253b069a36767195aa580c8269ba880b33fa1a3a829bb49970ec3f80b80b4239826b08c39
SHA1 hash:	a26698416a77275c135e002a9b0e02e45aaa44a8
MD5 hash:	384455ed03ed57222ef2b6b7fe0dbedd
humanhash:	indigo-bravo-orange-blue
File name:	Order 260520.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	325'632 bytes
First seen:	2020-05-26 10:47:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	191709e6650284e27036426aeaf6a5da (2 x Formbook)
ssdeep	3072:I9dmeda8J6bMcZzAL4nwphSNacYAJItWYgECKKWGSMzrUhQCR4DUtIGKCGT0n2Lj:ydm/Xwxc1qgTKKdnfCQAIGleUXDzdkD
Threatray	5'105 similar samples on MalwareBazaar
TLSH	E064BF22E568413CD63FA0B83EC7CDAB8DD64993606FCC55C59CD101CA2DBD588AB277
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing Formbook:

HELO: vps.galennou.com
Sending IP: 45.95.169.43
From: Sanja Momirović <info@galennou.com>
Subject: FWD: REQUEST FOR QUOTATION
Attachment: REQUEST FOR QUOTATION.rar (contains "Order 260520.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Formbook

Status:

Malicious

First seen:

2020-05-26 12:15:00 UTC

File Type:

PE (Exe)

Extracted files:

7

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Verdict:

malicious

Label(s):

emotet

trickbot

Similar samples:

347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32

4334ef4236c8a8b7c1c3463875315f16b35ba1d4dfac8c67f8c0cb81f950d850

51ba9fa1830056b815cc4203b57ee4f46b26a5f7dd7f6a01066c94fb88bf8f01

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5

c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348

d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba

e7bbeb241bd49fc993af86cd823ae51bbaa27af0cb5ac02fad387158d8f4fa30

+ 5'095 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan persistence

Link:

https://tria.ge/reports/201109-pkmw97kfg6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.spatren.com/ggj/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 8b91b37932414c4dea8ec42245f43959e00f635e4ebc4da721edab13d286db27

exe 3ebe7729fe5d80990333d4c0255af3b23e4ec2c1f61b9ea563eeb3e050943735

(this sample)

Dropped by

MD5 a9d172167411b8531c29b102b393fdee

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 8b91b37932414c4dea8ec42245f43959e00f635e4ebc4da721edab13d286db27

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample