MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bbc490de922648bb27754500a208f4693bfe6f10cc8607ef97819d6284af03e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bbc490de922648bb27754500a208f4693bfe6f10cc8607ef97819d6284af03e
SHA3-384 hash: af99e675c9fb9f47d0cc017e3e12e18aa3d86533f2a8942889856b60f67b9952d810481001a9f933afad9856c37d260d
SHA1 hash: df0e761d48e61b0cde972440ea50b37d0fcb0b4d
MD5 hash: 947758a77998658b88369671ae353e18
humanhash: quiet-carpet-triple-twelve
File name:uba.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:608'768 bytes
First seen:2020-09-08 09:56:01 UTC
Last seen:2020-09-08 14:43:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:ZxbnRB7tLmmAoK4gntieO3h8pQYMMDRR9i1HgC9ui2YIhPGlVO:XnJRbK4gtBO3h8lNiN9u
TLSH 63D4BECD362072EEC84BD0769EA92C68EA61747B831F5613902361EEDA4C897CF155F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: kahteck.com
Sending IP: 103.89.88.18
From: "Jenny Zhou" <account1@kahteck.com>
Subject: Fwd: STATEMENT OF ACCOUNT AS AT 31 AUG 2020
Attachment: STATEMENT OF ACCOUNTS AS AT 31 AUG 2020.xlsx

FormBook payload URL:
http://103.149.12.183/uba.exe

FormBook C2:
http://www.pexmot.info/bnc/

Intelligence

File Origin
# of uploads :
3
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57843/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.7379.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6bbc490de922648bb27754500a208f4693bfe6f10cc8607ef97819d6284af03e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-08 09:57:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200908-5v4rna2tan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.pexmot.info/bnc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bbc490de922648bb27754500a208f4693bfe6f10cc8607ef97819d6284af03e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx e617a1c393996f9a323738a08cfe2848c8608d078d08054ee58caa9d45ff4685

Formbook

Executable exe 6bbc490de922648bb27754500a208f4693bfe6f10cc8607ef97819d6284af03e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/455438/
  
Dropped by
MD5 b3620c184fe0e8d8b4fbd6a9adf6205e
  
Dropped by
SHA256 e617a1c393996f9a323738a08cfe2848c8608d078d08054ee58caa9d45ff4685
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57843/

Comments