MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 968f95cfbc459cd85e555318066b62ad2c11d58474ea8d97f95f3395ed3f2809. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 968f95cfbc459cd85e555318066b62ad2c11d58474ea8d97f95f3395ed3f2809
SHA3-384 hash: c3ac5118ad2adf87377add98e8aac4e85f1d34a5117c699a2a004a7ca1f934a38f86b56aed170a863aa958b56cfdd5fb
SHA1 hash: 44ab40b429b459361cfc178fd01b5aa79db3e296
MD5 hash: 342e39e307a9cc5d50f83391e6d0bd20
humanhash: zebra-twelve-uranus-whiskey
File name:Order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:343'040 bytes
First seen:2020-05-27 07:53:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fd94ccd1dec1c5baf6be7519f2d9282 (8 x Formbook)
ssdeep 6144:EkJSjYIvo/3HIdaHawBzDvBWEqo4JNXDzdkD:3JYtRWBzDhqo8zzdkD
Threatray 5'309 similar samples on MalwareBazaar
TLSH 5A74AE22F998053DE93F64B0BDC39D568ED609A3506F8C97DA58E102D87CBD0C8A7376
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: db9452k-1.ixlhosting.nl
Sending IP: 5.61.253.39
From: Mhd. Faisal Alnus<visaion@unitbv.ro>
Reply-To: francismark@europe.com
Subject: AW:AW:AW:AW:INV.
Attachment: Order.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 09:08:02 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
22 of 30 (73.33%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
c956e15151905e1744fc41cdbf55919d03f196900f62991baa919404b6a00bbc
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
+ 5'299 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-j29m8mmnx6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok.info/mm20/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 968f95cfbc459cd85e555318066b62ad2c11d58474ea8d97f95f3395ed3f2809

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments