MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5605f8e6000402125426e6f6dabd257cf299aa6b179b9ebde2db059aa19e5d12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5605f8e6000402125426e6f6dabd257cf299aa6b179b9ebde2db059aa19e5d12
SHA3-384 hash: d4f6b5ed8a4e2779ca183bd590dedd268995ee24790a728f5cc0499523e0afbc264277363cf4472eff55bc88202833af
SHA1 hash: d6c084077c5389f48a8b28fb88f1d27975bc3e23
MD5 hash: ffaf8a107dacafccfc00741e97b6cca6
humanhash: happy-helium-angel-summer
File name:payment copy.com
Download: download sample
Signature Formbook
Create hunting rule
File size:1'024'000 bytes
First seen:2020-04-02 04:26:22 UTC
Last seen:2020-04-02 06:08:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:eHa+VByEgYiWLAuAoiC28oV6swMNx67o3mOONFqzGEcyEgYiWLAuAoiC28oV6sw+:tyDA/Y9tswMNjJleDA/Y9tswMNd
Threatray 5'296 similar samples on MalwareBazaar
TLSH CA25E05463AC4C7AD29E03B5E06A01C0A7F19517B18FEB9EA80139F95E4F7E2E8431C7
Reporter abuse_ch
Tags:COVID-19 exe FormBook


Avatar
abuse_ch
COVID-19 themed malspam distributing FormBook:

HELO: raisechem.com
Sending IP: 155.94.211.4
From: sales@raisechem.com
Subject: Payment Assistance Due To Covid-19 Pandemic
Attachment: payment copy.iso (contains "payment copy.com")

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject3.37378.27510.19994.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 04:35:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kyc7rzqaaqbbevbg433nvpjfptzjtktlc6nz5ppc3mczvim6luja._file
Verdict:
malicious
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
Formbook
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
Formbook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
Formbook
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
Formbook
2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067
Formbook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
Formbook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
Formbook
895e7e85e398a6bd3615a8453c1ed21979a2676fa84af0e53077635f812b64fc
Formbook
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
Formbook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
Formbook
+ 5'286 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 162d923b6ac3fd131e73ae485c857a31b1088da9c720c3a6f8963b68df42bbb4

Formbook

Executable exe 5605f8e6000402125426e6f6dabd257cf299aa6b179b9ebde2db059aa19e5d12

(this sample)

  
Dropped by
MD5 a670e60b76ddfdffdbd1de0ed88b964c
  
Dropped by
SHA256 162d923b6ac3fd131e73ae485c857a31b1088da9c720c3a6f8963b68df42bbb4
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments