MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb
SHA3-384 hash: be54fddd065097e52418a1e9a8ed50eb0c2139384680a67174b2ad3e3a032520f0c2fd3ff6cc78e9222f43650f698236
SHA1 hash: 45e9e0b6dc9fce4583753e3cded6552844de0695
MD5 hash: 8205a489fc508497b86443d6253e294b
humanhash: oranges-king-sodium-angel
File name:po456789__img.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:413'184 bytes
First seen:2020-06-02 17:03:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:MzSLiWcs6J83YKIsh+awGIfGBD+0RNZdWOjFw9du029R:MaiYIsh+NwRNj
Threatray 5'105 similar samples on MalwareBazaar
TLSH DA947B9C766072EFC857D472DEA82CA8FA5074BB931F8503902705EDAA4D887DF244F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: cablenet.com.pe
Sending IP: 216.170.126.179
From: Herbert Gomez <dynami@cablenet.com.pe>
Subject: Estamos interesados en su producto
Attachment: PO456789__img.rar (contains "po456789__img.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 18:35:00 UTC
File Type:
PE (.Net Exe)
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5fvio65ijpczm27zqdpphp2ysdjqwxa3bathq2ob7ibwormek5q._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
1d1c9ee0b1adaa5a121fd70d332785395ad22538f9cdc7db44414c1604e28919
FormBook
1e1a825c158fefa17df9237a4be60bc99e1a2a42ded631c8636b6af668b1627f
FormBook
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
FormBook
6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb
FormBook
703340ccade47686ffd64ad3bda9829f0b1d8b704101c5f5dc2b66edcf01dfa6
FormBook
8058effea9cbffe67d3cc69221eda22862586eecdb7c9409b4f9fd6eab6ea04f
FormBook
99d9cdc246bf28881b009ae71b1611c83397b23b5adf5b3746f51a5a2903ec24
FormBook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
FormBook
f14d7b35ccb962517c7657f064f0259f4fef55c53c77bfebc8ee360f642b7842
FormBook
+ 5'095 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-6n54kc6jdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.spatren.com/duj/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar f3b163231a156797f336842bd4e6fce358ce875b7a06430c92d777eb84186f46

FormBook

Executable exe 6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb

(this sample)

  
Dropped by
MD5 9d546a8d0f24206a897ff8e4b8af21f5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f3b163231a156797f336842bd4e6fce358ce875b7a06430c92d777eb84186f46

Comments