MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3a1b2c34631ea7174675f09e243ec00136cf9b7f585d97d1a85539ee7f279a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3a1b2c34631ea7174675f09e243ec00136cf9b7f585d97d1a85539ee7f279a3
SHA3-384 hash: 911d744b94716f0bbf028791ae6f178d6cc47ae597d16781aa4adde45d2a2c5aeab84e3330bcb788c6fdafc88f073765
SHA1 hash: 600517ecd4e0170cf13e296a1739fd2551ebc5c6
MD5 hash: 80dbf339d727357a6289b9ec630c67c0
humanhash: mobile-arizona-uncle-nitrogen
File name:2020Sheet.Doc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:495'104 bytes
First seen:2020-06-16 05:55:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:qt/NllK4sES2OD30n1HVEq6s8c9EOjzBSzbHsBvsgDFjmUam:qt/A4uW1HVGlIBqsttmU
Threatray 5'227 similar samples on MalwareBazaar
TLSH 4EB4CF4D7B1AFE99D8340B3FC470586032F07C6A3926DB6E66503B355273F8AAA43553
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: in.mahle.com
Sending IP: 37.49.224.193
From: Santosh Singh <santosh.sngh@in.mahle.com>
Reply-To: nhoega@gmail.com
Subject: Mahle Inquiry & Qtn
Attachment: 2020Sheet.Doc.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10623/
Detection(s):
Win.Dropper.Batdrop-7400179-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 05:57:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=woq3fq2gghvhc5dhl4e6eq7maajwz6nx6wc5s7i2qvjz5z7spgrq._file
Verdict:
malicious
Similar samples:
091fa5c2da8704e463202cad1bdd4f766ca66c28b3f60348c03288c4d4c3ce32
Formbook
18f5f4aa9b67c87202ed2456159ff033577a00bd227dc7b713de074f262d9897
Formbook
19833770b128f098f86b4d9daaedef96f8de222745a7e431999545c9c03bfb29
Formbook
310ce684bde85380d1c908579135f3ea6ff6f69c8475fad63a232020beaebd65
Formbook
51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6
Formbook
64ff498497ee75879455fa623913eed07fae30f5e357bb247bedcf76e7d4e04f
Formbook
915317c4721161535e8ab7d081baa128d6678c50ff2135571965cf40b7167fb5
Formbook
9ba436351aa2ed6aa1c478d716b2b5e2dd6b6141c14aa8ded5089ed6951b9426
Formbook
a4906242ed8ef857d5fe0dd5b8e3f1f90baa1bdf6f1030ba09af4a2b8892e08b
Formbook
f310aa4f6cb0b3c3d237d13640594dd0a06f8c42ab5ecd1cba3daecc860129bf
Formbook
+ 5'217 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-d61w5p22j6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.glamotd.com/lyb/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b3a1b2c34631ea7174675f09e243ec00136cf9b7f585d97d1a85539ee7f279a3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/10623/

Comments