MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8724cbdd787358fa70708cd785ab59acbdfdd7b7e31c1b877d92feeeb7504f0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8724cbdd787358fa70708cd785ab59acbdfdd7b7e31c1b877d92feeeb7504f0a
SHA3-384 hash: f3a472871bba4004c15b954a261b5cfe3ed2da8f26858572c84516a86956c681b4a56f2f50c21456bc4a6e36fa7d3fa1
SHA1 hash: ed529f12b94aca5c8f762c4e3feef17efdcdf8a9
MD5 hash: c19d59549a5cda51fea4336732d45fd6
humanhash: burger-magnesium-fifteen-high
File name:TT copy.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:382'976 bytes
First seen:2020-05-27 06:37:48 UTC
Last seen:2020-05-27 08:16:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:UiiG9QN7KoZ2UhLY5mcgEhupYBXSDtpoKyHxCHfDaHOMY3ON9Or1eayd5gluj/Ph:UiNMKsU5msOYBXeW0LMOtaM/RK/PWfTX
Threatray 5'132 similar samples on MalwareBazaar
TLSH 4E848C9C365475EFC867CA72DD641C64EA61B47B970BD303A01322ADAA0E69BCF015F3
Reporter abuse_ch
Tags:exe FormBook HSBC


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: nugraha.pw
Sending IP: 198.148.118.237
From: HSBC <info@nugraha.pw>
Subject: TT COPY
Attachment: TT copy.gz (contains "TT copy.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.50037.282.30242.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 06:10:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0005e5022cd608e05426c717720cab930b17de32f9afde7af7db5bff68db21ea
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
FormBook
49b83750fc8ffbfd1a1e0c11be6eb327159fdeb0e8c20820844fd3af2d96c2f2
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
FormBook
9727c687448fb19944524631d76df2facf3fdb70324e2c61d535756fcd838ddb
FormBook
d4f92eedf4a8eb72f4825a974b88d094fe8ec8604d18735602536060e65a471b
FormBook
ebfc26187e0b0ad6924461b1f2476321c53b5a23fbfe246e3ed5a475a1ea5678
FormBook
fabdc8295e6fe5127deac9b2854b28d0132d9eaac091f89652919fbd1f8ec863
FormBook
+ 5'122 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-vbvd2nmb4s/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok.com/sh28/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

gz 9ff01fcffc4401b112f545bcd8c1b6daca0991eb5e4de222334b7514fbf6d6aa

FormBook

Executable exe 8724cbdd787358fa70708cd785ab59acbdfdd7b7e31c1b877d92feeeb7504f0a

(this sample)

  
Dropped by
MD5 b856bb3109491b5d8e6d1f6291067493
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9ff01fcffc4401b112f545bcd8c1b6daca0991eb5e4de222334b7514fbf6d6aa

Comments