MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 836e10c649bce22fed99ea498ea2f36c8d7e832be5be20de60a4f0a13db71ed9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 836e10c649bce22fed99ea498ea2f36c8d7e832be5be20de60a4f0a13db71ed9
SHA3-384 hash: 2b3442328b319c8f06dcf7d97a59d98f1f927c46fcf1c896d762c8abd0f1b2b3df76f23a47f5205d38477adfe1dad3df
SHA1 hash: a1f04b5efe28940c97be5ab7acd4660613972008
MD5 hash: a642c44d9cf338869aa602dd8fb3ac35
humanhash: alaska-indigo-zebra-table
File name:Purchase-order_62297.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:380'928 bytes
First seen:2020-05-15 06:32:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:6JelXQA8dNy2s8AAKUtuWuEkDma7DVnS9OzkK2qIUISP8mx61pp9lQrED:6slAAGls8AAKUQEwB7dPkK2qIo8d1ppb
Threatray 5'119 similar samples on MalwareBazaar
TLSH 7884CF7C35AF0E23C47C8AF4446121488BF07D59294AE3DADEC171EB9AE1BA147BB447
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: smtp92.iad3a.emailsrvr.com
Sending IP: 173.203.187.92
From: thanawat@shawpet.com <thanawat@shawpet.com>
Subject: Re: Re: Attached Order List
Attachment: Purchase-order_62297.rar (contains "Purchase-order_62297.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 20:15:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qnxbbrsjxtrc73mz5jey5ixtnsgx5azl4w7cbxtautykcpnxd3mq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3
FormBook
73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d
FormBook
7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f
FormBook
89ff5517452e28f7853a015903ba0573e53d05a36095774e186022944945a5a5
FormBook
8ffe1634ec406dc2f1db74d9dd90ddf64b3abf2e42d491406b758d177747213a
FormBook
927ea99a59336bb821aa9062c686d43e3022224f56c6f34338218ddc6e165cfb
FormBook
bebdb4d1e77c1b459833876c8599ce54d46bcba89e3c8d13c1add73723648fb9
FormBook
c629f38c249f5f8a7da9911fae23c88120e4a750e3dfc52578396094a7ec7dcd
FormBook
f646b35153e14b1c060f94dfa4e3467165946dd9720b8ed63c2e8b144f132f22
FormBook
fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733
FormBook
+ 5'109 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-lwzc6hehs6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
System policy modification
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.glamotd.com/fgd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar b9788677576a791ff356282d9def081d36ce4e980fff9f3ba2ad8cc1c9064f1b

FormBook

Executable exe 836e10c649bce22fed99ea498ea2f36c8d7e832be5be20de60a4f0a13db71ed9

(this sample)

  
Dropped by
MD5 75754b45b084d69e8ce0c2e388f19542
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b9788677576a791ff356282d9def081d36ce4e980fff9f3ba2ad8cc1c9064f1b

Comments