MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b49e31db6107c37ac7f40732102d9b574f9bdcafbc227d22122a527e5142e9e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b49e31db6107c37ac7f40732102d9b574f9bdcafbc227d22122a527e5142e9e4
SHA3-384 hash: 38002086ca5e4353afbf06f7d9bf2e94a7b9b5b3c972baafa95bcb23a0b844767a0614435da77e00dfd660b371c812f6
SHA1 hash: 9663d0ca118c935428b19e254ce1c2da03439e32
MD5 hash: 6dc7c43be83d4b6b2e214e5bc28330b5
humanhash: carbon-winter-iowa-artist
File name:Shipping Documents and Invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:394'240 bytes
First seen:2020-06-15 14:04:01 UTC
Last seen:2020-06-15 15:26:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 85bc386bd6a1f821258a1c9abc71d3dd (1 x FormBook, 1 x Sodinokibi)
ssdeep 6144:MeAdJoVnPhdJWCZEaXstzcy/9m6hSIDbpdQgyujHaJ2dCgN:MdyPhDLXYzNJSUbImLogN
Threatray 5'101 similar samples on MalwareBazaar
TLSH A384CE21FA91C031DC630A7A44F5C7B86A3CFD655B258ACB37881F1A7EB41D26336762
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: raw.automatica.mx
Sending IP: 193.143.1.76
From: Purchasing Department <helpens@raw.automatica.mx>
Subject: Purchase Order KL780122 (Urgent) for [REDACTED_DOMAIN]
Attachment: Specification.zip (contains "Shipping Documents and Invoice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10499/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 01:30:33 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wspddw3ba7bxvr7ua4zbalm3k5hzxxfpxqrh2iqsfjjh4ukc5hsa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2edc612812919760be42de00fde052d6808281cd5009fb6050b21b67cc6db93f
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
5b5dcd2dd420cb6a9ef69b94fb8340145ca859897285ef38d87b38b1757af463
FormBook
5f6ecbe9757644eb46ceaef0b9e8354e63bab83b29bf47f4812c84beb08acb4f
FormBook
846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3
FormBook
897c29c75ae58e4057c0d32c3704469a7ecfa4878f5d0c60ad8abe2fa821b0b0
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
c256666562b73aee6208fa0bacff25b832c0ec16fe7e7081a7c7ff3ef2016c83
FormBook
+ 5'091 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-rzt81tbwys/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sandrxy.com/gw8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 6674ae975b8079fd9edf1293d718d54070dff7dce7b36812726e3ce7b6ffbba1

FormBook

Executable exe b49e31db6107c37ac7f40732102d9b574f9bdcafbc227d22122a527e5142e9e4

(this sample)

  
Dropped by
MD5 afbdcb9ec0052ee638733715b0e248ca
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6674ae975b8079fd9edf1293d718d54070dff7dce7b36812726e3ce7b6ffbba1
Cape
Cape
https://www.capesandbox.com/analysis/10499/

Comments