MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50a183b6130552c9a7613ec0f2d81eba5731d4166e92d5249c2ab81e32d4026d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50a183b6130552c9a7613ec0f2d81eba5731d4166e92d5249c2ab81e32d4026d
SHA3-384 hash: a780cca1ae75d4fe26470885bb94a4b68c978881f21cdf149461b6323be70f47b3e9127e5f1b77e81ba8e56a6c06cde2
SHA1 hash: ae8ea6fb30344db863e754318ff7d3326e5fe467
MD5 hash: d061455274db4dcc9cc54d8bd9dca9ee
humanhash: floor-queen-oven-network
File name:INV_00976HK.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:323'072 bytes
First seen:2020-06-17 06:12:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:BDJSR//LbGKBg3da7WuMMTagamAzyNIum:dk9/Lb/Bi0bamDo
Threatray 5'112 similar samples on MalwareBazaar
TLSH 5864F20DB6AC1735DA7D4A7C99F1354807F8A4277825EA1A9F8432EE1C63BC61B42F03
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: disey.com.mx
Sending IP: 184.154.61.154
From: MML Law Firm <ventas@srr.com.mx>
Subject: COURT SUE M1
Attachment: INV_00976HK.rar (contains "INV_00976HK.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19137/
Detection(s):
SecuriteInfo.com.Generic.mg.3259304b55e59669.30738.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 06:14:08 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcqyhnqtavjmtj3bh3apfwa6xjltdvawn2jnkje4fk4b4mwuajwq._file
Verdict:
malicious
Similar samples:
035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b
FormBook
0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197
FormBook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
FormBook
179043e8eb7c06144c67f58b2c2900ad10303862c0e5cd7e1fe5a4faf853f103
FormBook
27cbd2139f326adf45adefa425f7295af578ac5d9ecceab36da74c5af53def1f
FormBook
2a093b2213d7d589020d69e76fdfd33b441ed125664cb3247d25e9103744011c
FormBook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
FormBook
344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be
FormBook
76539c09f989d3cc938d6984f9ee8b6680fe2416822d63bf53a1712aaf9b695f
FormBook
846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3
FormBook
+ 5'102 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200624-mzxhgawbbs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar d0b886db39ab25fa4bada1ba69eed8a5091ed8b8eab0ca2091dbe2aef94a8ea8

FormBook

Executable exe 50a183b6130552c9a7613ec0f2d81eba5731d4166e92d5249c2ab81e32d4026d

(this sample)

  
Dropped by
MD5 95e4f8f165d3ec3fbe275e94133c170a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d0b886db39ab25fa4bada1ba69eed8a5091ed8b8eab0ca2091dbe2aef94a8ea8
Cape
Cape
https://www.capesandbox.com/analysis/19137/

Comments