MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88
SHA3-384 hash: 3c629b41d74059ac770c1f791ecb96ac7b1c5ae1f07822d647289a91ce2abec1d03fec269eb78fdb3e4c52a37de61d2f
SHA1 hash: fcdd594ba56c26fcb57b4e8c44d63905f2472701
MD5 hash: 092fa3d9ecece2d4422a00cfd4722fda
humanhash: oklahoma-avocado-oscar-edward
File name:New Order & Product Specifications.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:488'448 bytes
First seen:2020-10-07 04:47:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:GSi5Za+LKfq5sLfnvKWbhpKYVNxEWOI4JOdQCw5uRlItyw9C8j1Ppvu00:GSivlLBiLXKOuY3xfzMulDetyl8O
Threatray 163 similar samples on MalwareBazaar
TLSH EDA4AD736C82989ECE6947B10CB541F1F67A02CE3F938A0E72AE530C0E11757775A66E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: fujitec.co
Sending IP: 209.11.159.147
From: Purchase Dept <mohan.j@fujitecindia.com>
Subject: Fwd: Product Enquiry/New Order
Attachment: New Order Product Specifications.iso (contains "New Order & Product Specifications.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68740/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/483587
Signature
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 03:36:39 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=su4yevwjurl6cvlhduvu5nu3ncgbkeacug2yvpin4farneffhsea._file
Verdict:
unknown
Similar samples:
015f0cf04ffdca8141fd57bc67848a21dc11ab2fda0a91627f6deddcde2c0ca9
Formbook
364382b6fb6aebc6c7faca44b8a97451012467639f12962715a9e178d9099e18
Formbook
659c836026b1ee353c16584705804815ea357519b446db36822fb40bed5ab320
Formbook
69842a6dc654dfc2d3a69b566e90679318cbac7209d4286df9af58b8e173ab90
Formbook
8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2
Formbook
9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c
Formbook
a4b6103b1dfe717301995f598b140b0ce26e7a1541f45b6ed6485c05dca2692a
Formbook
dbe07e65b164938977b2cc87d3fd32b44f55480385143bb628b9c78b35b0be1f
Formbook
f4e60792b136f02c28fd35322ee58bf723aeaa3611d286417d8b2b0707612cdc
Formbook
fbe07dca7476dba15e9dd639c2b5a71c6bbdf21b0f50ee1fde6aa5bc13e19243
Formbook
+ 153 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201007-je3h7dyjya/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
9e711e7d6d9a8f0cb54f0c83eb74ad7cb09f33310996cc7ad85f49907d65f0a3
MD5 hash:
d5b54f0f0fe63d9d0a9d2d608e158c6a
SHA1 hash:
52cab4fc7e5aac5f9784affd348a3f87afe498c7
Link:
https://www.unpac.me/results/e2a5e568-2cb6-4b5d-89e1-bc831469069c/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/e2a5e568-2cb6-4b5d-89e1-bc831469069c/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
107a05e8af1cc369ecee89a96c74b22853e41a4317da4104a935aff540f00bc6
MD5 hash:
8cf053299816b322c2df3cc6e81f3778
SHA1 hash:
1928220bce46db32735df8531089ef7c5bfaac90
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e2a5e568-2cb6-4b5d-89e1-bc831469069c/
Parent samples :
95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88
914712c702b94abb26e0d1edbd54712d62a2fdb6cfbc9bd41ac8bcb84296358f
SH256 hash:
05de1d5105c66dbb10ae9862992f84017d133e7e29b6ff36200df39f99dbf69e
MD5 hash:
a5ab9e9951ae9d5f44c9cc7f3a2e8321
SHA1 hash:
904ae3f482288f1008d5c67b6a39e693c3244a0d
Link:
https://www.unpac.me/results/e2a5e568-2cb6-4b5d-89e1-bc831469069c/
SH256 hash:
2b6859c0a174527f5d375b65a883d0418258d2e77f76d42b9fa7840933cacbc7
MD5 hash:
fa824f366d2eead8e0cae2354993aaf1
SHA1 hash:
c0d7f191445c3cda294633a3b816bf56ad79fc09
Link:
https://www.unpac.me/results/e2a5e568-2cb6-4b5d-89e1-bc831469069c/
SH256 hash:
be241808f30545f79b19f301f5b5ed9af41e7c63db78bed842b4718329d02884
MD5 hash:
96856d427a4bf136643a029e083fbb64
SHA1 hash:
f1397f7bd13445d29a84f498540ab424c324573d
Link:
https://www.unpac.me/results/e2a5e568-2cb6-4b5d-89e1-bc831469069c/
SH256 hash:
95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88
MD5 hash:
092fa3d9ecece2d4422a00cfd4722fda
SHA1 hash:
fcdd594ba56c26fcb57b4e8c44d63905f2472701
Link:
https://www.unpac.me/results/e2a5e568-2cb6-4b5d-89e1-bc831469069c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 799160e10efd12ac4a9cc0bb98a1426a9d86ef90c64ce26708de979b490f353f

Formbook

Executable exe 95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88

(this sample)

  
Dropped by
MD5 6afad6d2fed3c379d66080b25e019306
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68740/
  
Dropped by
SHA256 799160e10efd12ac4a9cc0bb98a1426a9d86ef90c64ce26708de979b490f353f

Comments