MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 821103b0d22e0d776910785b51b0f39077615aca677ac97f5c6790acb214bcd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 821103b0d22e0d776910785b51b0f39077615aca677ac97f5c6790acb214bcd6
SHA3-384 hash: 744135e9035a46d1d29e210972fbf6badaa85c1f8e7d53bf0e814e3c58dc3a3c5cf36aacd68be5bd6ea7df5d9384174a
SHA1 hash: add84103d378186ad0a6de5ca58b5f5ad9f07fc1
MD5 hash: 96ff6b4192d6f87a9b2c729677fda679
humanhash: oranges-table-crazy-snake
File name:T&C Schedule & Others for GOODS_MRCSB.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:343'552 bytes
First seen:2020-05-11 08:04:45 UTC
Last seen:2020-05-11 08:58:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:0asuCl6qfClk3cwaX0il5gtExlFE5aS/XSXgyBHA8JhLoD+J6iF7UHuh1sxNtzDy:DqfClk3cwaX0il5g9xiF7MeyFTlyx
Threatray 2'250 similar samples on MalwareBazaar
TLSH 75749E14319C2B7AE0B66BF52AA49451E7F1716A3456E7AD4CD124CE81F8F41C8B0F3B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: caracal.birch.relay.mailchannels.net
Sending IP: 23.83.209.30
From: mazirul.rosli@petronas.com
Subject: Fwd: FW: [TA2019] URGENT: Request for Quotation: MRCSB-T19-All-010-MNAMR-001RB
Attachment: TC Schedule Others for GOODS_MRCSB.rar (contains "T&C Schedule & Others for GOODS_MRCSB.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45506.17952.31578.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 01:39:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qiiqhmgsfygxo2iqpbnvdmhtsb3wcwwkm55ms724m6ikzmquxtla._file
Verdict:
malicious
Similar samples:
8efac0f1a783fbe5627c1fca4c211583bf045bd5671d89df9418220d66078c11
FormBook
9e38a0eee8aa6aacbe3bc31a37f26b94d32777868c4e71b86001f196c0826aad
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
aae9b362789cdf8a185d9b963cb3b0ba5d7f5599285cecd8625944168232c42c
FormBook
b3d0c83d27a8a161a6962bf7bc7bb3ebe60f19e8821cc9ec47dd054f77368eb9
FormBook
b624f2628a187644b398db22269d178207461ea7180bc442b3623a0ec67d35f2
FormBook
b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c
FormBook
bd3afdd3cda53eebbebcc99b946ff7eb2f972fcf1c5a3a11ffcf633a46f1b853
FormBook
e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0
FormBook
e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93
FormBook
+ 2'240 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-6end6ws16x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.salomdy.com/xcm/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar d21375e24681a3470425ab4eba8276f415821e9e06b28567091b206cbd578361

FormBook

Executable exe 821103b0d22e0d776910785b51b0f39077615aca677ac97f5c6790acb214bcd6

(this sample)

  
Dropped by
MD5 b82e45a9c8b6702d8f2d85c9212e255b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d21375e24681a3470425ab4eba8276f415821e9e06b28567091b206cbd578361

Comments