MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bd1a6d714816ecb73b2749dc55bfba2c3b1c76cf60f68bb3e5d24d481d992bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bd1a6d714816ecb73b2749dc55bfba2c3b1c76cf60f68bb3e5d24d481d992bd
SHA3-384 hash: 564ceded4cccd5cd2893747ac97dd42a40b936238fa6b5a0f65023348afc8e529658a8065ed3fa7731ceaeef0ddd02b6
SHA1 hash: 212f759cad7fd88fe0d6942521f9e06e74ceb61e
MD5 hash: 94050751efb1e23e3a35303294f222ec
humanhash: snake-violet-whiskey-two
File name:Invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:335'360 bytes
First seen:2020-05-19 05:48:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5fad844b2c47cd92aae84559cf2b888 (6 x FormBook)
ssdeep 6144:8fXmMyPQu0TE0VL54plIBjpLnuLOWXDzdki:8upxUIlU9L5Wzzdk
Threatray 5'101 similar samples on MalwareBazaar
TLSH 7D648D22A62CCAACC93F60777982CD698ECD5CF3A0AE5C15D07CF354C57CA81C95A276
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: gree.com
Sending IP: 173.82.95.217
From: tamia@sophienchandler.us
Subject: 敬请找到我们讨论过的新订单
Attachment: enquiry KH.O7754.img (contains "Invoice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Mbt
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 02:56:33 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpi2nvyuqfxmw45soso4kw73ulb3dr3m6yhwroz6lusnjaozsk6q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
0a19e568f607fdfaa9368dc8b7880b68fa9c41f1de947c31067b7f971ece0d8c
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
5789a1a8980ff4c582d1c9f8b906cd6b1c2ed3854a7ff5cf7992e615bc55a355
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
8f71441f8e9db24dceee698de265dab77bda6298ceb4b9bc8cb1d77a54d7229d
FormBook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
+ 5'091 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-xmz983hvmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.binzom.com/uw7/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 5acf27aed870287dee42e37b602856839f98f96390acf217cc9322d242c8f90a

FormBook

Executable exe 5bd1a6d714816ecb73b2749dc55bfba2c3b1c76cf60f68bb3e5d24d481d992bd

(this sample)

  
Dropped by
MD5 28df43c21c5183260cfb4c930bd3bfa9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5acf27aed870287dee42e37b602856839f98f96390acf217cc9322d242c8f90a

Comments