MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146
SHA3-384 hash: d5a4680deb284143dff4cedc9bd5a37f29b3102f81c853dceb57b4b179d63ef24b26e3e712bbcf8c2421bfa80f87c767
SHA1 hash: d48bce8d8e3449150c54cdaae72e9d2350f746fc
MD5 hash: 21df851db48df9dabbbc210bf1a3cb80
humanhash: social-wisconsin-steak-minnesota
File name:Vendors Form,doc.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:368'128 bytes
First seen:2020-07-06 06:27:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:rT8V7S5G7i+n3HAApBz+HVlN4cJSfTp1edPumJqlRm3njcj+ZdBuSZ5GrxN:/yuUPn3VkXJATGhPMm3nW+ZdBhDc
Threatray 5'107 similar samples on MalwareBazaar
TLSH 3D74D0B20246BEDEF73D4EB4E25416500EF91C5BAB70C949BDC831D922B6B10D9BCA71
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: airliquide.com
Sending IP: 103.125.191.31
From: TSHABALALA, Mandla <mandla.tshabalala@airliquide.com>
Subject: Vendors Payment-Form
Attachment: Vendors Form,doc.r09 (contains "Vendors Form,doc.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/20796/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 00:29:36 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mswjpt3tkzyat7kouryhwlakykixy5eefka33x4hjce5o4v7sfda._file
Verdict:
malicious
Similar samples:
047ff786f8bdd92bcf070f006d07ee6ca9bf63bd08213ec6b8807486c8b3f016
FormBook
1423f45cfa5d62d8910075b3cc15855237e0a0bc2e2c18a49b94f0cc8d592602
FormBook
2d4056fad1be6f7748d20dfac087ba9161d7555f0a5f021d462d226e89787ce7
FormBook
4d5c7e3ebcae0ff2419bc76ff30b7681cf9a11751834ee0dcc5868a48f9c30b3
FormBook
4e8ddcec5c75934d0418b3f5f66c20925bd67b6acda0bb0c3a0ee684865a6e4b
FormBook
727a3e431ab50b5cf1cebca1642981bfc29099d4a65f233d0a0f606a624b7272
FormBook
80fa061deb733b05912954a6e3400de75254f23e5befab4616ff978be37b6f9f
FormBook
b346093a964f1c0917debeeb63e70117a1a863714cb977c7f436ed2448aaeab6
FormBook
b5cc8b2d62e6c2d6a9bf080c4c41e19295af7dae7230a63b7f6ad8def08e7ea2
FormBook
c9e39f1f70998e0e3d8cb796ab6dff989eebae5deea058c9a3f637ea2f038ae4
FormBook
+ 5'097 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200706-ngt8qd94vx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run entry to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

r09 d5a17791f5169c432bd8956a57b801c65ad9bfd4a3b12478a0240be2bd08ceca

FormBook

Executable exe 64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146

(this sample)

  
Dropped by
MD5 b808bd53f4b57ba9286d155b552b62bb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d5a17791f5169c432bd8956a57b801c65ad9bfd4a3b12478a0240be2bd08ceca
Cape
Cape
https://www.capesandbox.com/analysis/20796/

Comments