MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f928f6a534f2420969e9072892d08011473d5993a183c515f2ff2620a33a56f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f928f6a534f2420969e9072892d08011473d5993a183c515f2ff2620a33a56f
SHA3-384 hash: 1c4f47b100546bc61ebdf401d10d6293adfd55b85968884fddc3e269d41403cb60a8d52cae839bcbc93691d20f268ba4
SHA1 hash: 210c11738cddc0dfc15f2835dd045b811e139301
MD5 hash: 9e75b11066af55f0350d2066dc00d4bd
humanhash: december-five-indigo-beer
File name:uuz.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:384'512 bytes
First seen:2020-08-18 19:51:16 UTC
Last seen:2020-08-18 22:29:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:L2uHyfJRCllQWH7OeibnkD4L9OhPwnyYSQ9zswCk:iuHyfJiZHa7rq4ROhhIzsw9
Threatray 2'240 similar samples on MalwareBazaar
TLSH E084E1187554B68FD82FCC3A99A45C74476032776347F207AC43A9EAAB1DBA2CF015E3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: pluscargoecuador.com
Sending IP: 103.114.106.11
From: karen.curtidor, Dipl. Ing <karen.curtidor@pluscargoecuador.com>
Subject: RE: Urgent Request For Qoutation(RFQ_#20200219)
Attachment: PO_20202602.xlsx

FormBook payload URL:
http://103.114.106.11/uuz.exe

FormBook C2:
http://www.flekcht.com/usc/

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48096/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.1222.971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f928f6a534f2420969e9072892d08011473d5993a183c515f2ff2620a33a56f/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 11:02:38 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6ji62stj4scbfu6sbzisliiaekhhvmzhimdyuk7f7zgecrtuvxq._file
Verdict:
malicious
Similar samples:
0a3ccff2a6b6ee6c506c71db29a49c6e7651a562b8c2c60c8bca3d8c48355875
FormBook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
FormBook
2fd949e12ca1d32c55059b6710f33e098ae5c357156d79208ab92c066c80be11
FormBook
54828c080b94bdbf7bc08ff7a3fc69fa5a91d1b067d2997af8ef60c0304b4aed
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
60c5ac0b248ca937816d4ec153cfe39bd50f21668e32aa5cd059c1a1aae1315c
FormBook
839856ed87695990bbed8a508ff2645ad729f46753fe487a286361a15aa2ea94
FormBook
86c28512dbc7ff79104d2c3bd9e81dcd493016f61316890206d3dcfeee47a244
FormBook
ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22
FormBook
e4a2831ae3ee0aae7fa80df415ccb3774ef85aa9ca7f9f41e18bd603cd72c7bc
FormBook
+ 2'230 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200818-7bndxn3q9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flekcht.com/usc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f928f6a534f2420969e9072892d08011473d5993a183c515f2ff2620a33a56f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx e09784a38ea819d57bc0036509f930d8e04f5d5b6ef0d9611983c157032516a5

FormBook

Executable exe 5f928f6a534f2420969e9072892d08011473d5993a183c515f2ff2620a33a56f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/436079/
  
Dropped by
MD5 6db168673431cb2e1faa9c500a1c2dd1
  
Dropped by
SHA256 e09784a38ea819d57bc0036509f930d8e04f5d5b6ef0d9611983c157032516a5
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/48096/

Comments