MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d
SHA3-384 hash: 855b765f56d5090f1a50d4e68f6c661dc2a390c877f97e28b57742126c48591bdffc5da3e20cb9dd1b1c84a0c79287bc
SHA1 hash: 2c4ff6bf00b312dded5a7c5f4b2e850f22926756
MD5 hash: a64170d2b82eeb2964dde615b506a304
humanhash: alanine-minnesota-alanine-one
File name:PO_No 2545.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:259'584 bytes
First seen:2020-05-28 06:19:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:V4jcCamjRsXhhmCMoLqqMnXbneSXUP0PebXSc:CtjRiIFoLqFLn4Pueh
Threatray 5'128 similar samples on MalwareBazaar
TLSH AE441200D5684A39DA6D4FFA288194045BF172561456FB9E5FE8F2EB3A077630B03B3B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Austin Schick <austin.schick@qualitech-solutions.cam>
Subject: RE: ORDER INQUIRY
Attachment: PO_No 2545.rar (contains "PO_No 2545.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.fc.4709.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 03:36:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c
FormBook
0f9158444d5e5387bfc619b035fbc31625cc933643f3eea063eca29cc33455ef
FormBook
161ab2a24a2f0a71e1a50d1110b3ca25ec1a53c1412c2235db94a871bc3c9563
FormBook
20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9
FormBook
2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f
FormBook
538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68
FormBook
65a02f6b451bb5ccf5d443b7976da84cb80812e24a909d1038423bfe5ac5e2b8
FormBook
8b9bbca00335521a8fa45d5abf271ccf0eac27d70e44140355f7af671c3dbe7e
FormBook
96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487
FormBook
e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d
FormBook
+ 5'118 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-mw84d4rxwa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.govaj.com/bd2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 5595c5735586355b3ac146aa802ed3b45b5933f2ae8cfc3cdc744368771ff9d7

FormBook

Executable exe 986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d

(this sample)

  
Dropped by
MD5 9574107cbd9349fbe5b85eaced68c683
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5595c5735586355b3ac146aa802ed3b45b5933f2ae8cfc3cdc744368771ff9d7

Comments