MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd
SHA3-384 hash: ef4a8f8c2b5aa1c1a58bd13d27b964d4b9a550d3bdb7ff2aa47c022243459a0fd36c639805d7bc38c3b9c5eb7bb31d93
SHA1 hash: 166c27e826dc2d13a7f5800e36f759821d1c2995
MD5 hash: 1f81cb552bc722707ef778cb3457ed28
humanhash: yankee-island-high-sink
File name:UNSM-RFQ286-2020 REV1-xlsx.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:652'288 bytes
First seen:2020-05-21 10:07:43 UTC
Last seen:2020-05-22 06:44:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e7469bf17b9fb883eded4ceca68acb1 (5 x AgentTesla, 1 x FormBook)
ssdeep 12288:kSCgJ+D+QYBSoSEjaShXc5inDXIL5rZf9PDlsBoo+9iHDEv23pBy:f1dQMthekQrZlJKH3p
Threatray 4'364 similar samples on MalwareBazaar
TLSH 4FD4AE22F6A0443EC123167D9D1BD76C583ABE513928698A7BE51C4D6F382817B37EC3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: unsmuae.com
Sending IP: 103.99.1.174
From: UNSM Marina Zacharoudi <unsm.reps@unsmuae.com>
Reply-To: unsm.reps@unsmuae.com
Subject: AOS Ratchaburi / Stores delivery request- OPL
Attachment: UNSM-RFQ286-2020 REV1-xlsx.gz (contains "UNSM-RFQ286-2020 REV1-xlsx.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.24267.5419.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 08:39:28 UTC
File Type:
PE (Exe)
Extracted files:
265
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jefhqo6dthfw3wnwj3gi2d4qtayp4grvdumpcscjh7g7n3x3klgq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
040e2a7b73768aea00579bd04fa834afa4b33966459c4c9d4c4cddfb7cffe8c0
FormBook
1c7388bfdfb41e34dc95423b351d3b18d737889d9f8648da0ce24048d6e2f495
FormBook
1d24189fffd0bdcb0395a3670721f29f37d08bd80565471db28d45ac36b2cbc9
FormBook
1d26a5cf8e279ddaa3ad924224219b550f7d431e8d6adbcb7bd36c01d4eae2d9
FormBook
2fdb0d7b083751a10db872738e974f869b99f2ca21891a5fb96bc9440f827ffb
FormBook
3f256c15a96f8f556978318a55308e3ef709f29d93a18d0c2d262f305477cfb2
FormBook
5ef5d6bc0c7af14274c71cdc4377785a79143786556262137f496a94170ac56b
FormBook
811b6950ba9561169b22ccfc12daf0fc57f26a910272f56288bd0d7c10da5c15
FormBook
bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a
FormBook
c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e
FormBook
+ 4'354 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-tk1y1ns6ns/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/hm2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 53095085e40ccddb3a3446a95278c66531117df309e89154b7525e108ded343b

FormBook

Executable exe 490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd

(this sample)

  
Dropped by
MD5 575c86ee7546e3d8242d891a1bd65875
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 53095085e40ccddb3a3446a95278c66531117df309e89154b7525e108ded343b

Comments