MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
SHA3-384 hash: ae75e6eac45f4d39ddb463ab03017065556cd71ad669e632c60bd07e832632fc44f59507499d8ecb0ddbfeb63a08884e
SHA1 hash: 92f92c0998398c1e4e78a9779287280f85f4119e
MD5 hash: 433d6bf20bff83a540640ac3e5635f1b
humanhash: salami-pasta-fruit-echo
File name:invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:518'656 bytes
First seen:2020-08-18 07:32:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:M/1BzYiXJHusYjVnEwqTQHeB6XYaaQujVsSu:M/1Og1SjVnEw1+B6oaAjV4
Threatray 2'273 similar samples on MalwareBazaar
TLSH 7FB4F12232886765DABE57390820519217F6BD06B731EA5D7E8C318C4E73B97C7B2393
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: alnassar.com.sa
Sending IP: 162.244.93.110
From: ketchum <ketchum@ketchum.ca>
Reply-To: sales@ketchum.ca
Subject: invoice for payment process
Attachment: invoice.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47586/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Unauthorized injection to a system process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 11:47:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxh6uteygrmjoxbxns476dv5l7vuuqtnza6j3nqcmrtyuq7o63uq._file
Verdict:
malicious
Similar samples:
0712880b972cad9ec58187e7539ff826d2113ce5b48fbbe030a850811b32b921
FormBook
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
FormBook
30d3cf43f91eea8df889ee14337ca8067bc68521ff63184c679aac80b321bb75
FormBook
478dce496a9eca179f7503d76fa70a27d85e2e8547b81b5c80fc7433122085c3
FormBook
59793c1ac9d8537e06996b0a09f161deb98a77d527b0bc97b18e15972f120a2d
FormBook
8a10ba003c94b5e6576d10a0c4bd01cabef6d87e4811e96c1a028e2cde63f414
FormBook
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
FormBook
bf694824d6cbf6fba77ce087678b03ee8243a245b4b730eb55fb83e83b8dff8e
FormBook
e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
FormBook
f7321d982e89fafff68c30ca74dbc1612466c4385a51a0a7b203641e31b27c26
FormBook
+ 2'263 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200818-gy8nh9wy42/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.regulars6.com/w5fk/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47586/

Comments