MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b374209103049367377912f01bee277ac736b1f7d0010b87e8fac5c18986dff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b374209103049367377912f01bee277ac736b1f7d0010b87e8fac5c18986dff
SHA3-384 hash: 1549f738ad29231588f5b235f60d80bb67d9dc888629bc193e759442bd702cb4f78b5bda401530791ae882de390f8f1f
SHA1 hash: d817c18c636d8bbf015995c1b647f660b342e813
MD5 hash: 0a3895bbb2d63d9ecfde4c0f3c0972b9
humanhash: hamper-mockingbird-low-beer
File name:PO.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:518'656 bytes
First seen:2020-05-20 08:27:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:MOmG/E7/fdHaOjHDQXCmg02j6UNYlvDqAM1OThUvOXt84LvnhAp080OqKoePx:MOm0E7/xDmwyGDmhLv7OqKoep
Threatray 5'353 similar samples on MalwareBazaar
TLSH 8CB48D873544899ECFAD50F65242898423F59CBBE504E7895FC932DB3ED2BE3492270B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: cathay-food.co
Sending IP: 111.90.140.123
From: Philip <prs@runge-sorensen.dk>
Reply-To: piusequip20@protonmail.com
Subject: FW: we need supplies urgently
Attachment: PO.zip (contains "PO.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 08:36:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pm3ueciqgbetm43xsexqdpxco6whg2y7puabbod6r6wfygeynx7q._file
Verdict:
malicious
Similar samples:
023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
2df514e021d7b92b4c12d4a4c37b67e012483b18142c7b7cf562180584b8eb27
FormBook
5b15b1fd3bf2eef911358d7125b5120eb716dcd75af883cd133dc0e346988c85
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
c4cd89d489b7605791a6cbb36b373089c926972fe51b5ddaa584f0870febf58f
FormBook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
fb000356c5a5e099f9298966a08d806286aab7a9c54f324437a7248af114c109
FormBook
+ 5'343 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-7av36s2drx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok2.info/sa06/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip ecba517838238c6575ee8579eda8db96326aa7ad1dd68911211b0d9599f474ed

FormBook

Executable exe 7b374209103049367377912f01bee277ac736b1f7d0010b87e8fac5c18986dff

(this sample)

  
Dropped by
MD5 3c154ef074708b0ff4ba2ae4e4faabe5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ecba517838238c6575ee8579eda8db96326aa7ad1dd68911211b0d9599f474ed

Comments