MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 addd4ba4b4aa754501d638cbbf3c78bec538ca15a72acb5eadc7babfaecfa350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	addd4ba4b4aa754501d638cbbf3c78bec538ca15a72acb5eadc7babfaecfa350
SHA3-384 hash:	b656862bfd48152a455d88d384176ac628344a41006ee2151538c7e9edaf09c257ae8d7fc43d97c9543502df2e4c82d6
SHA1 hash:	197cea5b1542051241569f47797f3f6b751c54c1
MD5 hash:	03cb3f8cfde5e3396914445acf58c1f1
humanhash:	pluto-idaho-edward-yellow
File name:	nass.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	899'472 bytes
First seen:	2020-05-05 17:57:55 UTC
Last seen:	2020-05-05 18:43:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	83a1448767faf700dce12c022b592a4e (7 x FormBook, 1 x TrickBot)
ssdeep	12288:btall+eEVHaIW6ZliFvgsIOFymaStW7lAD/k96llKiYCoD68wPc:QlozHaV6ZgxgsIOPTWqD/k9plC3c
Threatray	5'100 similar samples on MalwareBazaar
TLSH	8115DFE2B812D478EC560D75D4265CF55C7B2EA6FE68F447BAA4FE4270731C3212A10B
Reporter	JoulK
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.Trojan.Siggen9.44429.5888.7987.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-05 18:35:45 UTC

File Type:

PE (Exe)

Extracted files:

23

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vxouxjfuvj2ukaowhdf36pdyx3ctrsqvu4vmwxvny65l7lwpunia._file

Verdict:

malicious

Label(s):

trickbot

Similar samples:

043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42

4923037fb58a4491f08c85e0cf38a74d92dd36860932814170dc942a031bad2f

61e169cb08c5e3b163370cd992574347625e887eca583922412ddfaed2d6bd10

8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741

8e5e93b6f3eee7f1a08a0420b25105017d3479769e6bf9d6b2518d3abc6b1a75

a0d38e74310877d9ee7a4d0e75e25272adb25199527d19bc08c0f1ebb21f9ce6

a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091

b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c

ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645

ed3318102d772c4dcecfb1e10f37cfd3fdcbaff1d340ba9c2bc5dcfe6383f339

+ 5'090 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-stpvtws6sn/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.mansiobok2.info/mnf3/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample