MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b
SHA3-384 hash:	1bcc3ac978aa200fc314773ccc4afbf0a01b7b40d8f938dceba02cfea10d62abd728a20f98001ded575172ed8cee3a8f
SHA1 hash:	6c411a5f4ab9c69a7a48f8b8c97e5b5ee356a04e
MD5 hash:	fd261f53f1a33be172f7b21b0fa7c33a
humanhash:	butter-music-six-ink
File name:	nowe zamówienie.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	830'976 bytes
First seen:	2020-10-19 10:31:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:u84C+gqqA1Hmxh8efMPQWiPNZnzgZ+f1HXVDanPuguZax4LjhkYbEOxs:uSEPTKbzs8RVIuZax89OOxs
Threatray	2'615 similar samples on MalwareBazaar
TLSH	FC058D252B587F68E17D4337A8A4180087F5EC13A334C81F7CE5368E5EB1BE69613B96
Reporter	abuse_ch
Tags:	exe FormBook geo POL

abuse_ch

Malspam distributing unidentified malware:

HELO: host2.himbimarket.com
Sending IP: 72.52.244.66
From: Gregor Kosec <export@filtroscartes.com>
Subject: Re: Re: zapytanie ofertowe
Attachment: nowe zamówienie.zip (contains "nowe zamówienie.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/72892/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

0 / 100

Link:

https://www.joesandbox.com/analysis/495244

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-19 06:37:09 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pojzy5uvbms2jyjsqyhwg6z55h2wcaroszebxnpyqgzb4v7frgfq._file

Verdict:

malicious

Label(s):

formbook

Formbook

77e828d113038623ccfca7e111b60675fd36ea404545f8ce828d7f8505244f0d

Formbook

805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb

Formbook

8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d

Formbook

a2158f5ab307d2418f9653ea6bfd8914fe390a99137ee96191266c01ba93977a

Formbook

aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6

Formbook

b85e964144a64d78fc54b4e6bae83ba6e1c7179f0a820f361c27f58842b6940a

Formbook

c032e316eefbacca4b3ddfe7fc2ee9ac5f86daea767232d2322f7fdfe4b18993

Formbook

c68e4b825434bac34abd9d5428ea2c30fc60c8b47db17de743782825687547d5

Formbook

e232dc56a916d659961271caf129b47c5fa561f71ecff17f6c96801cd7b50820

Formbook

+ 2'605 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201019-vyy9yqeskn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.kumcal.com/fs8/

Unpacked files

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/1436e101-2edd-4170-b0a4-59be14469231/

SH256 hash:

d753b463eedf7feb20249126207f9b27affbdda8772e9cb0aec387925e8c85bf

MD5 hash:

7254253c1eced3410d78c523333626f7

SHA1 hash:

ad88c953debcee37105f737ad91c4732382a7ac1

Link:

https://www.unpac.me/results/1436e101-2edd-4170-b0a4-59be14469231/

SH256 hash:

cc111a29f26efb91472f200599a7dc65c51208714ac54734f6505c5b63bdb782

MD5 hash:

a688a9275d0639ed718d3d0643b6d20e

SHA1 hash:

d9b816c3b4a08bd1effc29b8300e224e8b469568

Link:

https://www.unpac.me/results/1436e101-2edd-4170-b0a4-59be14469231/

SH256 hash:

cb6b0604e17f8ff0f50bf5ad2014f795ce0d8b0b293c7e11f1a44bb7c94dcdc1

MD5 hash:

c97bcbc8758043b5b5b8ed037505c74b

SHA1 hash:

f54cf01236377bdf1f7f6b371e0604fe80b3db91

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/1436e101-2edd-4170-b0a4-59be14469231/

Parent samples :

e132699f63854eb3c66be165867f2cafc37d29a8a3a4ca3c4c6949ed42ddde95
5169448790953f95b005aedf779cc9cc9443ab52550650cbae197033d5c227e0
306dc076ebd63fe8d969a99984470c480737e86eba1fb55ebe1ef49a8b987565
0ba1cd5068eb222e21bf0f4799f531c5dc07849d4920d3410a78b4aef0559ac8
fc6c24e17bd06e27dcc1ac019e4080d4a1a2f10459f74c17b9bb19fb8ba6e442
d30e5bd3a0ec9e64eea4363751655f0267d7ffb00a9552862179cd8cf6caa6c0
7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b
cfb7d8e6f49f1f067aff2762657006d278b719fce64fbe89864baab8ae908120
d0d44ccb48b649e89a18773ccea8337047e57247d29dbedc1abab31f265e7e45
03f5b9544b3bb2db290e54dfe203f425374d973ac225df52a7cb29adc7998726
3f1d00cc832bad31567399df69c06c23dbdc989e18178efc599ca6574d190e34
e1e0a4fba3b1dc2e64ac088f5839fe75832cd9a824fd9f0f5e043821d9d18b0c
81fd7b4c68d09347415a53e0fcf3a7fc3d3277be9fdc9a67e550078a53f4b96d
53c9e5f225c4151735e652929bf75b25dbe898ac1e4452c9199d8414a57fe603
cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069
7d64ca34c7cd390b4fdacfd575d66c3aeba60066464e38a6c5beb0fddcc4c366

SH256 hash:

7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b

MD5 hash:

fd261f53f1a33be172f7b21b0fa7c33a

SHA1 hash:

6c411a5f4ab9c69a7a48f8b8c97e5b5ee356a04e

Link:

https://www.unpac.me/results/1436e101-2edd-4170-b0a4-59be14469231/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip eb0493805418d490793ba698958c9943307598cb673e762426ac1017a11411ec

Formbook

exe 7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b

(this sample)

Dropped by

MD5 77186d81e7f58892a72eab0fd2395bee

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/72892/

Dropped by

SHA256 eb0493805418d490793ba698958c9943307598cb673e762426ac1017a11411ec

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample