MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
SHA3-384 hash:	76383fdb945b06011cddf98ca7420b8594326d5fbb25139ff046df6f12bf1ea9c0179c6ff522e02901ce493c4d1f1b4a
SHA1 hash:	b88394bd3639af178afae17c2a8161f32332fa1a
MD5 hash:	4711bd00dc794f2626c40e054541aeca
humanhash:	carolina-mississippi-delaware-item
File name:	4700146.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	400'384 bytes
First seen:	2020-06-04 06:18:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:CWgkKUSlwY5NHf92RxDn74bFA7SNAkCz0BbaDfe5D2jiTOz4yoz09953AWwSujYh:vgf1NHf92LkbF1O0BGDQ0WiUWwzjQx
Threatray	5'412 similar samples on MalwareBazaar
TLSH	8184AD2D43B8CB53DA8D47BEC89511245BF684EA8E9BDF58AC94B6E90D03373580712F
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: slot0.galennou.com
Sending IP: 45.95.169.43
From: Azim Premji <azim.premji@mail.com>
Subject: Fwd: Order 4700146
Attachment: 4700146.rar (contains "4700146.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

78

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-04 06:37:40 UTC

AV detection:

18 of 48 (37.50%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6bhw2astuygbecxyltlg27akze7z2i5npeo4pjvm3ffy2v2kyvq._file

Verdict:

malicious

Similar samples:

1dd89cec8476c901750387a54eb0cce63addcb6037d96de9a78fd736531f9390

2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa

67c174f4fdeb4a63472a22bb21de9d1b472da3521dcfa4ba8b285e25e1f1fa26

7d65c5f831361d3e7441c49dfe9e5a286c1b142fa1315c3460e144b240a2afaa

7fab1d558e165d232858902d7774749256fb81c20ded2487bbc3b7b2cd0d1507

80d185a291cf5c72cf84c63a49ade7e9d7363a3721aa2967c9d143c7d29fa03d

8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e

8e40f99cc08408c1ee5a1ec56357f23d993e29a6c4e5751a6fad33e7c9e222e1

a1d8dc3627d6274bbc44d637008958b06acf5c9bd4de3d3c8c9229552956d7c5

cc8cf128220c891f74068de7a331bc70c9f7e7a141dba5afdd4eb94adfaba510

+ 5'402 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-pnmfphkjds/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Adds Run key to start application

Maps connected drives based on registry

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.spatren.com/ggj/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 9f29db3198dfe196fc0a8975b9417bf9c0a23194b0adddf0a9e229f288f419e8

exe 6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

(this sample)

Dropped by

MD5 af590fc195620311b0dd70c3d33870fc

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 9f29db3198dfe196fc0a8975b9417bf9c0a23194b0adddf0a9e229f288f419e8

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample