MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68
SHA3-384 hash: 482d7dd24a217371ad17c1455cd52a63368bf46033311fd3e2579c4779773c5f8af2748a49893557a7b0284cb98573b9
SHA1 hash: ff8fcb1686a302b07b4dc1048f1537db186aa95f
MD5 hash: b418742ef0a7b6ea714a9f8e5c173701
humanhash: fourteen-foxtrot-mango-carpet
File name:ORDER_1602.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:344'576 bytes
First seen:2020-05-11 08:17:44 UTC
Last seen:2020-05-11 08:59:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:lWeS2+ApypxwRkWi4It3qfCIk3cwaX0ilbgtExlFE5aS/XXMuiJLLMP5uvqkRZOH:QApypxwRkWi4It3qfCIk3cwaX0ilbg5/
Threatray 5'216 similar samples on MalwareBazaar
TLSH D0749E04329D6B7AE4B66BF56AA4A541D7F1306A3462E7AD4CD210CE42F4F81C8B1F37
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Samuel Oberg <samueloberg@qualitech-solutions.cam>
Subject: RE: ORDER SHEET
Attachment: ORDER_1602.rar (contains "ORDER_1602.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45506.26189.23900.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Avemaria
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 04:33:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kofvocghnsdoosyl6vdxfwvjxwt4povurnjgcva2hpysq4knrzua._file
Verdict:
malicious
Similar samples:
023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c
FormBook
0f9158444d5e5387bfc619b035fbc31625cc933643f3eea063eca29cc33455ef
FormBook
161ab2a24a2f0a71e1a50d1110b3ca25ec1a53c1412c2235db94a871bc3c9563
FormBook
20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9
FormBook
2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f
FormBook
65a02f6b451bb5ccf5d443b7976da84cb80812e24a909d1038423bfe5ac5e2b8
FormBook
8b9bbca00335521a8fa45d5abf271ccf0eac27d70e44140355f7af671c3dbe7e
FormBook
96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487
FormBook
986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d
FormBook
e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d
FormBook
+ 5'206 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-y8d3saqdz6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.govaj.com/bd2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 7d604c99ab39ced7f65b4af12b48a00870bcfd217be058038f5b2ad4351b45d5

FormBook

Executable exe 538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68

(this sample)

  
Dropped by
MD5 7bfea56ba56faa3466250df3b5c252b4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7d604c99ab39ced7f65b4af12b48a00870bcfd217be058038f5b2ad4351b45d5

Comments