MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8359aef736bf6288512a9d20ed65d3c2981c55ef52421e47ccc287316fbcf7ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8359aef736bf6288512a9d20ed65d3c2981c55ef52421e47ccc287316fbcf7ca
SHA3-384 hash: 39978a97f8478d53f431e5eaecd151518faf3610fecb8d364d7c4b9fe1c985ac1f8483b71b3f8befeeaf8dda0802e327
SHA1 hash: 8f1c96e8a24043dea1c5e6117a0c9b9bc52f6e0b
MD5 hash: b8930163abdd8547ef1afa422b0ee15f
humanhash: timing-hotel-lemon-green
File name:DOC_000007890_docx.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'132'032 bytes
First seen:2020-05-07 15:33:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 05921bf5bfb2e768ae47538780e783b7 (5 x AgentTesla, 3 x Loki, 2 x FormBook)
ssdeep 24576:Zriopgj/L6x7yZURYHpI5GMPMMenvFdC6:Z+oEU6HpIEMPMMeFt
Threatray 5'090 similar samples on MalwareBazaar
TLSH CC358D22B692943FD2731A3C8C6BD3A49C2A7D106D28B85A3BF51D4C5E392413D35EE7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

Sending IP: 80.249.82.246
From: Katharina Caspari <kostko.y@belavtodor.by>
Subject: AW: Buenas tardes
Subject: AW: Buenas tardes
Attachment: DOC_000007890_docx.zip (contains "DOC_000007890_docx.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 17:28:46 UTC
File Type:
PE (Exe)
Extracted files:
59
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qnm255zwx5riqujktuqo2zotykmbyvppkjbb4r6mykdtc35467fa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
295c508d5a38496e158e8ae8795196bfa24a12d1aabc2e528a133b41e6723ed2
FormBook
2f7909f2f9c886007630cef749f408d4d7be271182dadf6bb0ff6924ad65703f
FormBook
49f8b73df45213da0f86e871fbd8d231cdfcc30e7ef8041d38ef062884e47b2e
FormBook
52b517b0e9be1efed3349ff5b7e7e4a392881437d7bc9ccd7b94bbc23e28a2f9
FormBook
654e546d40f7d74528c82d0a3feaf917a8a173e07e2a0ad9d5f29fb8b961bc67
FormBook
72182475544d3b228d94d5e9185b7162fe647201b2302c214a00d36a131c2f68
FormBook
75549fad0671d97245ff745daa90f72d93b9518650b9a9b3cb174151ae0e335a
FormBook
969f79907e45ccfccd7ea0072ae993c93b963d0208a971ef24e7b07060300de1
FormBook
b59687559bfc1f043f7f1c3c42651b51450836ad4973fbda39d57ca0ec157c65
FormBook
be4207b3c6def716919d01b666d9a78243730825f095b30edca4dfdae1f9096f
FormBook
+ 5'080 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-4tc9fnws7j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.chilogae.com/k2w/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ac2df0b4e1e8ce52f80c72c0fb158446

FormBook

Executable exe 8359aef736bf6288512a9d20ed65d3c2981c55ef52421e47ccc287316fbcf7ca

(this sample)

  
Dropped by
MD5 ac2df0b4e1e8ce52f80c72c0fb158446
  
Delivery method
Distributed via e-mail attachment

Comments