MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f1e4d566bca753281462bd0d67815385c0d06eff9ff67e691831a0db757701c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	8f1e4d566bca753281462bd0d67815385c0d06eff9ff67e691831a0db757701c
SHA3-384 hash:	4d2c6cc6ce16b25752842f0826fb984baec80f8f94285dcbf9664df6c6f8c2e4f11cd415f18f61b6eb92ccf90ce46810
SHA1 hash:	d8e5e747cc4f185032329f7d2cf3589b16e093db
MD5 hash:	aa2c30ea587e5b05f87bf7a9799766be
humanhash:	juliet-salami-enemy-michigan
File name:	q0pddrer.q1m.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	482'816 bytes
First seen:	2020-05-20 08:44:24 UTC
Last seen:	2020-05-20 09:48:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:cbt2iNF2iNkVnbcoMqcaKiEV1FcE8u/p:K1j1iVnQoVca/QrcxEp
Threatray	74 similar samples on MalwareBazaar
TLSH	D0A4D043BAB8043EC96E0FF745F1440E0AB5AD85992DDB067DBDB48E85727A80610BF7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: mgwi2.nineweb.net
Sending IP: 27.254.130.225
From: accounts@ecotechlifecycle.co.th
Subject: Attached T/T copy for payment.
Attachment: QWN68R.rar (contains "q0pddrer.q1m.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.LuheFihaA.20074.20823.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-20 09:36:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=r4pe2vtlzj2tfakgfpinm6avhboa2bxp7h7wpzurqmna3n2xoaoa._file

Verdict:

unknown

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-ftz16tzf6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.hearxy.com/s5l/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 3ad0f62d563674c1b7b8bf1db9dc03c9a22ef1af11c4b07c0c3e20af270d4fc0

FormBook

exe 8f1e4d566bca753281462bd0d67815385c0d06eff9ff67e691831a0db757701c

(this sample)

Dropped by

MD5 65ef4e367f4630f1e3288637a94b6dcc

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3ad0f62d563674c1b7b8bf1db9dc03c9a22ef1af11c4b07c0c3e20af270d4fc0

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample