MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b775ccff09e5e183a237343bbc0b6057af38838c0781d7927ac5aa686d2e56b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	5b775ccff09e5e183a237343bbc0b6057af38838c0781d7927ac5aa686d2e56b
SHA3-384 hash:	fdd7638e026c6810db77c9056c4213cd090b0b873047a22fbcc1d5a602fcb10e5b4240a22425b609c786c3fda70d7c96
SHA1 hash:	1b5a3b9965cbac3b112fdd4c5ccf7ead389c270d
MD5 hash:	19cf4db2791fc60e7239d769d100ebf1
humanhash:	nebraska-triple-uncle-pasta
File name:	Dco.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	375'296 bytes
First seen:	2020-06-12 06:29:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:Gq4ULmva6JiEV8SmfS0pKxbUjG+PY3nbb2KyaC2KQZ7rOuLyGMpK5h:GBiG8Sm648bUasY3bb2KykC85h
Threatray	60 similar samples on MalwareBazaar
TLSH	3384DF02BB3C6B67ED794BFAD4205AA403B01BA92115F76B7CD178CA08E77062512F5F
Reporter	abuse_ch
Tags:	exe FormBook Yahoo

abuse_ch

Malspam distributing FormBook:

HELO: sonic301-30.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.184.199
From: abdul rehman memon <seyani_1234@yahoo.com>
Subject: FW: Payment Transfer
Attachment: Dco.rar (contains "Dco.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/9073/

Detection(s):

Win.Malware.Efgo-7455698-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-12 06:31:07 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ln3vzt7qtzpbqordonb3xqfwav5phcbyyb4b26jhvrnknbws4vvq._file

Verdict:

malicious

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-pn7pnxhnje/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.hearxy.com/s5l/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 93d60bc86f162809dac87051b5ede24533af21ed5c4b7b70fdf4590f100d6075

FormBook

exe 5b775ccff09e5e183a237343bbc0b6057af38838c0781d7927ac5aa686d2e56b

(this sample)

Dropped by

MD5 c24894b9052f318f5f27c9c06ce38574

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 93d60bc86f162809dac87051b5ede24533af21ed5c4b7b70fdf4590f100d6075

Cape

https://www.capesandbox.com/analysis/9073/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample