MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d7708415c46c798ebbabab592026d1847c532ec9520f928ba4bc31215a21159. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d7708415c46c798ebbabab592026d1847c532ec9520f928ba4bc31215a21159
SHA3-384 hash: 557995befd7ae9a554ace95037196eba551ced946b8e39676942568eafcf258c07ae9098452d239fb3307fe34762ebd8
SHA1 hash: e590d2079bb33a10e510fcd65cec6704f4d02747
MD5 hash: 2017542d3d2b5e1c31788fb7af0a6f4d
humanhash: winner-robin-east-three
File name:dos.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:458'752 bytes
First seen:2020-08-03 07:32:14 UTC
Last seen:2020-08-03 07:47:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:qHAgbCa8sGQT6w46v8ILSJOt8azFtUG25dlE0Zp6:qHX8kTb46vpz81G27p6
Threatray 643 similar samples on MalwareBazaar
TLSH 60A46C317943C035C9290A7454B8A9C369793E7937A1CA1FB39A134C2F429ABBF5721F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: krohne.com
Sending IP: 37.49.230.140
From: Ernstmeier GmbH & Co.KG <d.ye@krohne.com>
Subject: PO-ST0308
Attachment: PO-ST0308.xlsm

FormBook payload URL:
http://gaytanconstructioninc.com/dos.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37468/
Detection(s):
Win.Malware.Formbook-7399661-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Sending a UDP request
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/407621
Signature
.NET source code contains very large array initializations
Malicious sample detected (through community Yara rule)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d7708415c46c798ebbabab592026d1847c532ec9520f928ba4bc31215a21159/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 07:34:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rv3qqqk4i3dzr252xk2zeatndbd4kmxmsuqpskf2jpbrefnccfmq._file
Verdict:
suspicious
Similar samples:
00481f6d6a28c6792dc0ddeb8cf053ec065be3ebebd70137dc51dbbd1f4c1898
Formbook
09a428389e8aa058f66078acc830b2311db2535d68818396385e1e6712334530
Formbook
1c0bfa737602981a7ff3b4f96e303f761c2177c5d5852a8692caaeb9721fc8fd
Formbook
1e34f97ada50f74298c6960bbd8bcf202d57437cd27c043aa34cfffd9aab5e04
Formbook
36de45886141a52528387c263e8cf8e4748a18b5198a9cefc1c1fb389e6eb663
Formbook
5974f80c6db5e5270cb093e7807d3f73f1ef722fc6cd31fd2a2af920ec240b8b
Formbook
5fac93ed0fd840cedfc559b7f2285ad384004e78fd53178b09bef6b13db08b84
Formbook
85178252374505355b028d3e77399d2575d7a94879ab2e629e93da200d102520
Formbook
c282cc8f22db07f2bc462448e339d3cf19fe5330e031a956d8c892c4b78b10ff
Formbook
ce0f4a7fe8345582ac7db5eafc6f51f7d692d46cabdd787253d9af0d990a2d3f
Formbook
+ 633 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat family:formbook
Link:
https://tria.ge/reports/200803-7zhkahplyn/
Behaviour
Formbook Payload
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d7708415c46c798ebbabab592026d1847c532ec9520f928ba4bc31215a21159

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsm 102045f1813b3f00940f18e585631a0bf4aa39bb45bb90567a10f22520f23870

Formbook

Executable exe 8d7708415c46c798ebbabab592026d1847c532ec9520f928ba4bc31215a21159

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/423739/
  
Dropped by
MD5 3e5e418ceb51d8a37fadfbf0b7c67cca
  
Dropped by
SHA256 102045f1813b3f00940f18e585631a0bf4aa39bb45bb90567a10f22520f23870
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/37468/

Comments