MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f6ab9c1ee0cee3b51e076a98ad0b05416e87de438d475a8137d80405f75ac24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f6ab9c1ee0cee3b51e076a98ad0b05416e87de438d475a8137d80405f75ac24
SHA3-384 hash: f2e604c1d7b2637d84c88f1f13650d9e6f05beea520adc90629bfbc0f26d2a6574c1ccea1d786f793e3493f8bc142f34
SHA1 hash: 8029c29921117b283b47563fd820dcb2e62b953e
MD5 hash: 5149d4a83e65bc593a6001eeacde468d
humanhash: harry-spaghetti-green-aspen
File name:TT PAYMENT RECEIPT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:380'385 bytes
First seen:2020-06-25 06:07:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:HPCganNBWQeCuxXkWNT4n+xlKfhfxZBPtQCDPTCcX6W/5rm0xeA2lyWfMfrGZ5Kd:danHFeCsk9+uPlb/p62r/eTJUfaKD
Threatray 5'609 similar samples on MalwareBazaar
TLSH B88423423761ECEED1924AB81979678D2B5EEE6A414D620B9301767E7D3F1C21C3F883
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13941/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f6ab9c1ee0cee3b51e076a98ad0b05416e87de438d475a8137d80405f75ac24/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5vltqpobtxdwupao2uyvufqkqloq7pehdkhlkatpwaeax3vvqsa._file
Verdict:
malicious
Similar samples:
086616679314c8f75f9fa03cc722a56008166c8e9c8a63a653ed45d35628fdf4
Formbook
4601b57fb9acf7117686773d8616efcac498591a6b650acc9a4f96871e9694b5
Formbook
52ea3c1f51eb3a8920e2895ebe7d54ed9b010407775434da9c47fdeceae7af84
Formbook
6142ce64bdf7d4373dedcadb54fb06efed10595a65713783f2930eb1ebb9f989
Formbook
84b4040d764a758414d6e7d913161c97846e563eb18e3497f207670f9d239bc8
Formbook
8bcdcd3db1dd3688101b18e4c090194ce7ac4e96ef206e56d5595e467cf25e46
Formbook
a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b
Formbook
b1d9adc8ee80f24960fb84adbb029695e49763faecbf559f92410d44bf28b0d3
Formbook
dafbe8f50df58d704b31ddd6cde8fafa09627ffc4dc63b774104376fe924c3e9
Formbook
e661bc38b20992b846232fd3d6cbe914bb46ae68b39ce7e7a348be2ba5261851
Formbook
+ 5'599 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200625-mtlgvv1z9j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace 18e9b3a72fd8d18b27428fd6c3acc3da5fef7866b2b5b995049534a49aef777d

Formbook

Executable exe 7f6ab9c1ee0cee3b51e076a98ad0b05416e87de438d475a8137d80405f75ac24

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 18e9b3a72fd8d18b27428fd6c3acc3da5fef7866b2b5b995049534a49aef777d
Cape
Cape
https://www.capesandbox.com/analysis/13941/

Comments