MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f30518d5d377a5daabfdf24a509e35c46b04f951500fec7a78e84724c4cdbc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	7f30518d5d377a5daabfdf24a509e35c46b04f951500fec7a78e84724c4cdbc4
SHA3-384 hash:	c136442c5077fda696d783140b48851a0237b9993cf405cf6803b7acb257913fbf603bcb76c2b62dd307eea12d06635c
SHA1 hash:	4c3a69e7feddd0b0add972efb6c48e620a227f22
MD5 hash:	3374bece9b1b1861e44bc9b6fe8fdf10
humanhash:	thirteen-yellow-ack-saturn
File name:	PO_3741 STONIC.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	328'192 bytes
First seen:	2020-06-18 12:53:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:vSc6eTRIxtCwkodpb118XXphcp/e2T1yJyauCV1AFA:Kc6eTRmdpP8npyNl8WF
Threatray	5'247 similar samples on MalwareBazaar
TLSH	9964E10A779CCB06C5BA5B7FC0D6451003B8AE663A22E32E7FC532AC19237D7954674B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: yuntong-batt.co
Sending IP: 111.90.141.203
From: Thani <Thani@yuntong-batt.co>
Subject: RE: RE: PURCHASE ORDER
Attachment: PO_3741 STONIC.rar (contains "PO_3741 STONIC.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

89

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/19800/

Detection(s):

SecuriteInfo.com.FakeAlert.9060.1798.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-18 10:10:30 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p4yfddk5g55f3kv734skkcpdlrdlat4vcuap5r5hr2chetcm3pca._file

Verdict:

malicious

Similar samples:

057f4ea12c391a6fb346574383fb2a4feaf692e4bdb8383160b34672fdf239da

069ce231194bdb4305fde084a55ad1026acaa073fcb90110b132ba27a53441ab

143da9c82587966091a89e47a13083cbfa757699296e37b333ba607c7052dc8f

313fc2bc689fcc4d9d0b191fa6107cf29dd9f56aba4b3ef2ad0b02e6a7596bf4

319274d1c6c50850ea1fb7673c288c90b4df3420fd6362bac3fbfb93e3f1ea2d

6e7b381441447157749ba664134682c01bad587614b29dab79aeab904419857d

7bb0368333b8dc8c6b4c422f11c02ec43d385547b460c2f1f8cf78013521a2f5

b32e124d79e22d6fa01bea107ce49b5247629f4c4be8b27242887f2151d9ac31

bf7ae4c4b3df671cb890a8814463ad46ec4d6edb6da0fe9c9201c1d3d9bec52d

cdef1fc7b825c5c220e1f3422d9e1da4e930473ff6c113b6610db99eccca8e17

+ 5'237 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/200624-5jzz7wadb2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 9781ff1f4aeacc5204ecb2b552c2d8a818e91b8539bb842219a58a0ce46f12e6

exe 7f30518d5d377a5daabfdf24a509e35c46b04f951500fec7a78e84724c4cdbc4

(this sample)

Dropped by

MD5 ad8e8a1ef1a84e42c6fb6072cff3daf9

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 9781ff1f4aeacc5204ecb2b552c2d8a818e91b8539bb842219a58a0ce46f12e6

Cape

Cape

https://www.capesandbox.com/analysis/19800/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample