MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5789a1a8980ff4c582d1c9f8b906cd6b1c2ed3854a7ff5cf7992e615bc55a355. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5789a1a8980ff4c582d1c9f8b906cd6b1c2ed3854a7ff5cf7992e615bc55a355
SHA3-384 hash: 4bdb1a5b76ba571003c2c7ef5a49d3e46c14ec7a8ce358e734daabf192839f14d6124b6d46522823dbb57588d12b4ad1
SHA1 hash: 2cc0b9cd3d6318ac037a7918decd98a864025cc0
MD5 hash: cedee2504f8c2800cfad50f021c1b490
humanhash: kilo-lithium-johnny-april
File name:invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:693'648 bytes
First seen:2020-05-04 21:41:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 83a1448767faf700dce12c022b592a4e (7 x FormBook, 1 x TrickBot)
ssdeep 12288:2syaKHzieh1f2H9bFgKjHC8J4okhr/npAQX1N+/UUy5c:xKHXuHHgKrF4oUX/B5c
Threatray 5'080 similar samples on MalwareBazaar
TLSH B3E40255FB4A80F6CC0883316469E503D1A7FCBD49108CDB9AAC319DABB27417DA877E
Reporter abuse_ch
Tags:exe FormBook

Code Signing Certificate

Organisation:VeriSign Time Stamping Services Signer - G2
Issuer:VeriSign Time Stamping Services CA
Algorithm:sha1WithRSAEncryption
Valid from:Jun 15 00:00:00 2007 GMT
Valid to:Jun 14 23:59:59 2012 GMT
Serial number: 3825D7FAF861AF9EF490E726B5D65AD5
Intelligence: 44 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8815DFF787F21FA8106760CB89C5B4493F4BD45E2CE801D2A4FE1F61DEE0C039
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server1.istanbulnet.net
Sending IP: 5.9.14.147
From: Cheng Duyi <cwy@shtianchuang.cn>
Subject: Good Day Please kindly find attached our New Order
Attachment: New invoice.img (contains "invoice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Trojan.Siggen9.44429.5888.7987.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 12:52:00 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6e2dkeyb72mlawrzh4lsbwnnmoc5u4fjj77lt3zsltblpcvunkq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
0a19e568f607fdfaa9368dc8b7880b68fa9c41f1de947c31067b7f971ece0d8c
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
5bd1a6d714816ecb73b2749dc55bfba2c3b1c76cf60f68bb3e5d24d481d992bd
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695
FormBook
a0d38e74310877d9ee7a4d0e75e25272adb25199527d19bc08c0f1ebb21f9ce6
FormBook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
+ 5'070 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-ap2tt669a6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.binzom.com/uw7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 7ba2cb2f8cfea410e0364ac2f7819d11d7fa6875c7ef6e095c9029d73d547791

FormBook

Executable exe 5789a1a8980ff4c582d1c9f8b906cd6b1c2ed3854a7ff5cf7992e615bc55a355

(this sample)

  
Dropped by
MD5 d0db017f4f1a224d3b0ad6345877fc7e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7ba2cb2f8cfea410e0364ac2f7819d11d7fa6875c7ef6e095c9029d73d547791

Comments