MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b1c79f707bb3089e1568373e8751022e8fc6cf14a318f58041a247c97ccf317. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b1c79f707bb3089e1568373e8751022e8fc6cf14a318f58041a247c97ccf317
SHA3-384 hash: a23e44bee15a79305ef65cfe6fc374ebbc89c8201f33cc471ceb13c2df0f620927aea002b95d12282183ace0c2124cd5
SHA1 hash: 53ceb77e073d08421b31119b3e8bf6891f6f5510
MD5 hash: d37ed01b5b4d3f6ac681f73b05990625
humanhash: yankee-uranus-charlie-wolfram
File name:PO 9903714.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:335'872 bytes
First seen:2020-05-18 06:26:37 UTC
Last seen:2020-05-18 08:22:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3dcb6238fc1bc29ea0e884827788b475 (9 x FormBook)
ssdeep 6144:R722XUbjAolZpbRDLxEzOUPmgc81KAwfrCXDzdkD:R7DKX7ptEbmg7vYCzzdk
Threatray 5'344 similar samples on MalwareBazaar
TLSH D8648C22AA1CC9B9C53F507A7DD2CDAA8ECE8DB3605E8C65D5B8E344C57C781C45B232
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

From: "Salem A. Al-Hamimi" <shamimi@alrawabi.com>
Subject: New order.
Attachment: PO 9903714.z (contains "PO 9903714.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-18 03:59:07 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmoht5yhxmyitykwqnz6q5iqelupy3hrjiyy6waedishzf6m6mlq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
netwirerc
Create hunting rule
emotet
Create hunting rule
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
FormBook
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
145fe82f875fa5dffa93f13326c20badef3d69187f55ffb85bc0d89172c5ce11
FormBook
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
FormBook
1db7fd03dd728cf21ada9d1bed2921bb70104a77935ad50aaa0851d4a6d3ccb5
FormBook
5e09510e834b75413af64e013eda43df867fab6080facf4227a08ca64861a244
FormBook
68739817fe82121fcedf1092eca699f59941678ddd9622062c8d40c200bef82f
FormBook
895e7e85e398a6bd3615a8453c1ed21979a2676fa84af0e53077635f812b64fc
FormBook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
FormBook
f9a4827b1355e83175a1ff06792046f8f81e7140748600743636a7725f9a79c5
FormBook
+ 5'334 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-7jl888zqre/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.masionlex.info/kp6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z de02f9724a98e24aaf4219f06ff92f8d23017423d7483927c2c5f33051bc7517

FormBook

Executable exe 6b1c79f707bb3089e1568373e8751022e8fc6cf14a318f58041a247c97ccf317

(this sample)

  
Dropped by
MD5 19558901cfb12249e0fd706b856801a5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 de02f9724a98e24aaf4219f06ff92f8d23017423d7483927c2c5f33051bc7517

Comments