MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54afdaff6d05973b7c58978614f80dac9060bca2ef2f0e1835fa05b80e3da626. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	54afdaff6d05973b7c58978614f80dac9060bca2ef2f0e1835fa05b80e3da626
SHA3-384 hash:	12844adec32dfa46b46d2cb1405f1e15cc4cb946e33ca747be5fe14239e437f3b1c728178d39b6059925db9910744724
SHA1 hash:	5d6e041a85f5cbee2fa6afc3109f2a6cf7a93e74
MD5 hash:	e62e71239458c4fe6226246e88997647
humanhash:	bravo-leopard-east-september
File name:	e62e71239458c4fe6226246e88997647.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	285'696 bytes
First seen:	2020-06-01 07:19:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:gxUfy7J1XbW7ujy09zW/9F02gny15c8Q31OxlYcFvkyfp4:gxUfoo09C/AiLc8Q31RcFU
Threatray	5'255 similar samples on MalwareBazaar
TLSH	8E5412CC2694513FD52E9EFC714160441BF5DA6A6A83F7DEDCB398E2296F3C10B01A26
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Genkryptik

Status:

Malicious

First seen:

2020-06-01 07:26:21 UTC

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ksx5v73nawltw7cys6dbj6anvsigbpfc54xq4gbv7ic3qdr5uyta._file

Verdict:

malicious

Similar samples:

0951d8c7c31922177bfac1849388cf7e947d6e51ccbf936c7edd1e6d7c44da9d

0c3d2c9f3d8e38323436d7f47852059f7b0cfc19fa53c86196b5376b8ebe5aff

57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664

575cd2d06aa99a48ed59b412bb87aba3b3e3cd66093c7f9efd118bf533032ba3

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

8255284fa792c767fd2464364f12f297fa92a38383d2303d7cf9dcb8b74bdfa5

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112

df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e

+ 5'245 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-62fbyrfahj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.joomlas123.com/4vx/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 54afdaff6d05973b7c58978614f80dac9060bca2ef2f0e1835fa05b80e3da626

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample