MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fc219b61d4c1ec456ac76af0a82dcfde187dcab2b015a277c6ee96b04930091. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fc219b61d4c1ec456ac76af0a82dcfde187dcab2b015a277c6ee96b04930091
SHA3-384 hash: 794b57eb3127d2482c43572a24fa17f07acf2817c744db9e7d091a71a1447dc148fe1b602becabfaf7f83479441dd111
SHA1 hash: e471a180d39f32a4a6978fa9564a279aa31e139b
MD5 hash: 7e49fa7618b3fd3cec572efccad6a2f4
humanhash: oven-mike-fish-music
File name:Swift Copy11.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:378'880 bytes
First seen:2020-06-18 16:04:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:cZCOVOAK/fH0cI3Yrjc8zafX+xVZ4BXpsYT0ZQZ4hbdM:cZCOVbefUcQ2Y2AUZ4xpb4
Threatray 5'103 similar samples on MalwareBazaar
TLSH 4B845B5D93104293F1096B35D67E7E1902203CBD75C2EBD4F6A9BA1BEED5BA2183301E
Reporter abuse_ch
Tags:exe FormBook HostGator


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: gateway22.websitewelcome.com
Sending IP: 192.185.46.234
From: All Ways Travel <support@besttrips.tours>
Subject: Re: Confirmation bookings
Attachment: Swift Copy11.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19823/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 16:36:04 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7bbtnq5jqpmivvmo2xqvaw47xqypxflfmavuj34n3uwwbetaciq._file
Verdict:
malicious
Similar samples:
275537d87441c354b859273e0729177d78f185bebdd9a86fac240a3f168a80a3
FormBook
2ad4a02a1f907b8036b9bea0fd940bfb47435964b23ffae577080823c86500dd
FormBook
2b12d292ec4052f1e9d0c407fa6e522c945fda64796468f681c37ed68a25284a
FormBook
2cb2db5123d7c8cce87537dd8de3a48ba93b6b6ee23fa14398355173741f8c40
FormBook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
FormBook
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
FormBook
82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a
FormBook
bd3afdd3cda53eebbebcc99b946ff7eb2f972fcf1c5a3a11ffcf633a46f1b853
FormBook
e1103e6f026f85275a21a6263a141142a733a222c923fa7232c4c9935681e91d
FormBook
f163f4788da0d445dec687df7d215b6af3c4bea10589fa268e6aff20ff335510
FormBook
+ 5'093 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware evasion trojan
Link:
https://tria.ge/reports/200624-gmef6gdz1x/
Behaviour
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 4fc219b61d4c1ec456ac76af0a82dcfde187dcab2b015a277c6ee96b04930091

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19823/

Comments