MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4e79fada30e509c05ac2b76a9ca46004f976449293d80b865b4e6a0fafcf9b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4e79fada30e509c05ac2b76a9ca46004f976449293d80b865b4e6a0fafcf9b9
SHA3-384 hash: 1afd09814f8002383ad7e046ef5532fad6a6d1d30e31cae294c8046b6cd396d3e9688cf29bbbc878e1e8996ab2d9e8ec
SHA1 hash: 77fbfa9f023587d50408e5d5610d009172f4ea82
MD5 hash: 70634f706ca4bdc7d386360a8ddae9d6
humanhash: ack-speaker-tango-speaker
File name:PO80328001_PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:433'664 bytes
First seen:2020-06-22 07:55:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:9B2aoroSm/9/ZLMkDOvZS0JhEIzWHwQUmp2xK3tSA:91oBWhAkDOcbIz6DUmwxKZ
Threatray 5'124 similar samples on MalwareBazaar
TLSH 56948E363142E23DC12A82F1A06D1DE596361A263307D32FB397F3589F4558BFB1926E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: postman.ardicloud.com
Sending IP: 82.223.37.97
From: Jose Link Bu <mclemente@grm.com.es>
Subject: PO80328001
Attachment: PO80328001_PDF.GZ (contains "PO80328001_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12487/
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4e79fada30e509c05ac2b76a9ca46004f976449293d80b865b4e6a0fafcf9b9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 00:38:22 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wttz7lndbzijybnmfn3ktssgabhzozcjfe6ybodfwttkb6x47g4q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
330cc7a94a8d40b4588313605d103e425e9a2530bf19e32b6cd61a786a6b8c04
Formbook
344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be
Formbook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
Formbook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
Formbook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
Formbook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
Formbook
a46eb9ad512b0b9355c24ab2320a1cd25758bc5e90485a476596982d41f9fe56
Formbook
c46f6d72a258354c5267436ea0db9cd3f12cc1595a0d9072d904b0b15731f092
Formbook
f1c80232eaed26af259c818427b444f12057b9329804da8ded13ec9fd20d3413
Formbook
f80c8e9d0e8ed0ffa6b7d8620a0eb890deb7c9dc84dca3198b3d2625bf5d1099
Formbook
+ 5'114 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook evasion persistence
Link:
https://tria.ge/reports/200624-1g1dfft2zs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

91bc34753f8c1224a4fa200124ce5122

Formbook

Executable exe b4e79fada30e509c05ac2b76a9ca46004f976449293d80b865b4e6a0fafcf9b9

(this sample)

  
Dropped by
MD5 91bc34753f8c1224a4fa200124ce5122
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12487/

Comments