MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695
SHA3-384 hash: 3ab850d44c5a5988a563122beaa4d133d80e973aba22ec9c0d3f432caca7fa6cfce68e70c1ce9943df8e76c80cdddb82
SHA1 hash: 26e3eed8ee5b0e18cc401ed88b73b287c8ad8de7
MD5 hash: a88e4bd1e3507132fcdd28f38a6751f7
humanhash: seven-blossom-wolfram-fourteen
File name:new.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:274'432 bytes
First seen:2020-05-05 07:47:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'661 x Formbook, 12'252 x SnakeKeylogger)
ssdeep 6144:NJDjYhjvPQEXKqVpjOF3uPImPX8IsnLtU3B1d9vVG:7DjojvPQCKqVlOpVGRE
Threatray 5'075 similar samples on MalwareBazaar
TLSH B2441266BF0DF822C17C293E20E72B550E35DF6B8083565E4BFC51AC58197E526C19E8
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hosting1.gugocreative.com
Sending IP: 138.201.21.74
From: Archana Ambolkar. <info@beerbhde.com>
Subject: Kindly send us best offer for below items with terms and conditions.
Attachment: invoice.zip (contains "new.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.EPI.17040.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 09:37:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=outvgdjizchkbbije2rexicqustxta73qjytbhdutosd46yqy2kq._file
Verdict:
malicious
Similar samples:
0a19e568f607fdfaa9368dc8b7880b68fa9c41f1de947c31067b7f971ece0d8c
FormBook
0d271903774ae9467d80cad6fcaec4d2ea4653b8eb4c28e0a1c7dbe0849ccd01
FormBook
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
5789a1a8980ff4c582d1c9f8b906cd6b1c2ed3854a7ff5cf7992e615bc55a355
FormBook
5bd1a6d714816ecb73b2749dc55bfba2c3b1c76cf60f68bb3e5d24d481d992bd
FormBook
75952934e5ef6bb74f29c3320ef112e219cc953dc5ed8c351d742448f61161ff
FormBook
7a755f37dfb67f9ee5f00330aeb01fc6262adc740d610549dbb2ec83e99a2618
FormBook
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
ebfc26187e0b0ad6924461b1f2476321c53b5a23fbfe246e3ed5a475a1ea5678
FormBook
+ 5'065 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-37hk2914t6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Maps connected drives based on registry
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.binzom.com/uw7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 02b4d21a4dcfe793027cc1be224d94f5334fff82ac52248a3e44aba68666978d

FormBook

Executable exe 7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695

(this sample)

  
Dropped by
MD5 12e0e4ff2d88c07589c90c8e2fd5438f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 02b4d21a4dcfe793027cc1be224d94f5334fff82ac52248a3e44aba68666978d

Comments