MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50c3229d95c112d70bd8af684bd42e14ca2f38f8fa6b702dcba32e1d70025bd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50c3229d95c112d70bd8af684bd42e14ca2f38f8fa6b702dcba32e1d70025bd4
SHA3-384 hash: e827d6913a40836623e7f1d081c757038ae0ec115d32a1d4fdc6d3dcae350beeea73dfc20a460e60b020aaad8acb23ca
SHA1 hash: f0123f690e0b818c6063f6bb0e9500d670977bed
MD5 hash: f1e7fc79cfc09a77601dc2aae23a4923
humanhash: rugby-pluto-utah-oranges
File name:Drafts POF Project - Cost projection.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:318'976 bytes
First seen:2020-05-20 08:49:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 539936224778cfe4cf6ae63dc3dc67b3 (11 x FormBook)
ssdeep 6144:niRtVjl4lDvqCUMRU1zqUaLBGwECaOvgowXDzdkp:n0Z4h7Va1uUCBqnOvHwzzdk
Threatray 5'137 similar samples on MalwareBazaar
TLSH 82648C22B85C8EACD23F60B679D3CC659ECE1DB3506F8C56C478E311C67C691C5AA236
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: gongcha.com
Sending IP: 80.85.157.91
From: Brian Wang <brian.w@abb-world.com>
Subject: RE: POF Tender - Cost inspection
Attachment: Drafts POF Project - Cost projection.z (contains "Drafts POF Project - Cost projection.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 01:29:33 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kdbsfhmvyejnoc6yv5uexvboctfc6ohy7jvxalolumxb24aclpka._file
Verdict:
malicious
Similar samples:
0d567b16454b8c3be5e7dbc796bf7049c0eb18ba9a625d6b5f45eff7202aaf70
FormBook
12cb6d99b66fe413685b633d1238a5695aa8dc77489bb8ab23f8dd15012a0653
FormBook
165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d
FormBook
2b62f1799021ec3671db2883f808f73b3ba1970abb8c76eff529f2b32250c333
FormBook
51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501
FormBook
5767bcddaf9404e411f25e457d8af27eeefa15515f415e901b6e7412708e5209
FormBook
89a226afd800c763daf6097a05275bb5e100b168e8c3fa46a73807075dcec45c
FormBook
ca3ab25a8c3213aa08113b09cc4b60df1d2c440aeb0e02c1e3bd192a57f86208
FormBook
d6330004986cb2968200bad58cb3f1135e2383d9bdf6894feff0f28f952f4c2b
FormBook
fff1c46e62b2f3a4e202e05aebfc1e7d72b8b3c540912fe18f4b97dc4ab50e55
FormBook
+ 5'127 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-e2p9ats1w6/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.domaky.com/a0u/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z 88ec3c5d32e0f0e3b6a63d2b8b2daacbaafc48ed8f86d450d248522516e6f092

FormBook

Executable exe 50c3229d95c112d70bd8af684bd42e14ca2f38f8fa6b702dcba32e1d70025bd4

(this sample)

  
Dropped by
MD5 5b9de6a95a83b7fe10074741997fbd03
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 88ec3c5d32e0f0e3b6a63d2b8b2daacbaafc48ed8f86d450d248522516e6f092

Comments