MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f1759c73e6a30da4906dba3c46112a2e8460acc51c3533524cc42198b01b747. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f1759c73e6a30da4906dba3c46112a2e8460acc51c3533524cc42198b01b747
SHA3-384 hash: ebf22c9d6699f10f9c67b28d03454a888c4cc5a8a28ee6095db06ea01c68deae658ef7dca6f525481796b672c3220f19
SHA1 hash: 4df5e1228e442cabfc540176834589898a4f768e
MD5 hash: 31df90eb8d81ea61e41dbf411bba832b
humanhash: hamper-carpet-nineteen-sixteen
File name:MT OCEAN STAR- ISO 8217 2005_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'497'600 bytes
First seen:2020-05-04 17:45:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:Otb20pkaCqT5TBWgNQ7agBLsyxlG7YUGEsz9oYcUzchvw46A:7Vg5tQ7agBLsyf81M5y6UV5
Threatray 3'130 similar samples on MalwareBazaar
TLSH 7F65E01363DDC361C3725273BA6AB741BE7F782506A5F96B2F94093CB820162521EB73
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: r1.cleanmx.pt
Sending IP: 130.185.80.27
From: Vungtau Ocean Shipping Agency (VTOSA) <operations@vtosa.com>
Reply-To: operations@vtosa.com
Subject: REQUEST FOR QUOTATION //MT OCEAN STAR// ISO 8217 2005
Attachment: MT OCEAN STAR- ISO 8217 2005_pdf.arj (contains "MT OCEAN STAR- ISO 8217 2005_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 02:05:00 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
26 of 30 (86.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4lvtrz6niynusig3or4iyisuluemcwmkhbvgnjezrbbtcybw5dq._file
Verdict:
malicious
Similar samples:
1b744cf41f0eb9413171e9350d4d8e7771f6ddf0c3de18be8498703c587bd00e
FormBook
1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298
FormBook
4f51da0a7034a3b491bf21d56896d2cc97f5f240911abfaeacfe73d80bd84a34
FormBook
6fd98f10610827553549cf795c654fde41891da53df2a254f37a645530b809c1
FormBook
86333eeabea84fc31061006475bc4fb4bdc9739789cbcd33dbca4f5aac7d260e
FormBook
8ca9ad9aedc2d32e50609ca807c71c459560d63b78c9022d7b6d9ad480d19498
FormBook
9465c69c18144431c36b77e4b36534684c7717f1d9970eb522b8aef716dd2458
FormBook
af076d38fb1a0fe805a6a835aefa72a1eaa827bb0421dcc91bd2e6153469d60d
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
ea95c0511e50da3a5225f551733b37b0b8f117b42dacd071620984fb550a00c9
FormBook
+ 3'120 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-5xv9q99q9j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.porcber.com/y8z/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj 5baf9d0dac3d4c74f8721877e94be48d858cfca9a2ee65ddf4d8dadf3974e4d2

FormBook

Executable exe 6f1759c73e6a30da4906dba3c46112a2e8460acc51c3533524cc42198b01b747

(this sample)

  
Dropped by
MD5 1573586ff97b01caa0954fda3bc34f3c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5baf9d0dac3d4c74f8721877e94be48d858cfca9a2ee65ddf4d8dadf3974e4d2

Comments