MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b717668f4cb542152a0b021d4c1cce6425692b80cec9c3384d5a5e9b602783ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b717668f4cb542152a0b021d4c1cce6425692b80cec9c3384d5a5e9b602783ba
SHA3-384 hash: 3af9d5aa0c5cb742ee983b46f2c64bb87e51689a412cb2325fb8c398c7b622781efb09a2925ff9d0843a1180716f55a7
SHA1 hash: cee32905ad5b19f753a44d99b17932ce68def2d3
MD5 hash: 95f02f83b8b00a23dc39592df7319d44
humanhash: uniform-shade-bulldog-paris
File name:ORDER-270520-11.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:34'816 bytes
First seen:2020-05-27 06:55:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:DpBXz9F35vaRPSWlH6efl/5kZFeWi2mVxXBfv11kkQDDXQb961nQk:DpjiRPSxeWmVNBIkQDDXQb961n1
Threatray 5'099 similar samples on MalwareBazaar
TLSH 31F23A147AE8C12EF2BF4FB83DE150A65A72F3671203ED5A1E49179E4953B408D1137B
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: sonic302-3.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.135.42
From: Kim-K. Sally <kimsally@163.com>
Reply-To: kimsally@163.com
Subject: Fw: Correct Order No. Please Send ETD/ETA
Attachment: ORDER-270520-11.rar (contains "ORDER-270520-11.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Downeks-7891358-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Mbt
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 07:18:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 31 (67.74%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2ad4a02a1f907b8036b9bea0fd940bfb47435964b23ffae577080823c86500dd
FormBook
5d8b65f8c8dbafc49e02925b7caee33bf456f0aa396c5dabaf526578ff4a6a5c
FormBook
8c3ab3dfe110988d790808121453336342297777bdac96a10d317bab2b0de2c6
FormBook
bc7549c1281f3ce45abcaad7408522374c97421e9031998b7959bd5e59b27a93
FormBook
bfa0531240e8ae03aee76df45f9e4c8748ad739a63f47c81269d7b2ca05fc329
FormBook
cd1a9b8d7f8d830bcb13548fdd9f02a7fae07b7c49fd12bd1a7e02ed346bc010
FormBook
e56366d78017d877b4413031f23021dce6f39cd2207bd4324967df5aaab3c4c0
FormBook
e8edf009c1c82f348ad925f7f9a34b4f241d52240c6cb43ab4536c4b363d5322
FormBook
fbc04306880313e1c67e38265c9ec331f336cba5bc461266e05228b22094defc
FormBook
fca6ebdeec0b760f2faeef8ba5edf6ab9d0141475b5f554ef1678aa4426baaac
FormBook
+ 5'089 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-dt35ygvtbj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses the VBS compiler for execution
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 9e0da547b0691b62bfae4513973f329a4ef585af9608a646c367a60712f00e0b

FormBook

Executable exe b717668f4cb542152a0b021d4c1cce6425692b80cec9c3384d5a5e9b602783ba

(this sample)

  
Dropped by
MD5 24e7096ee0a57c6d1a00b5d495485d83
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9e0da547b0691b62bfae4513973f329a4ef585af9608a646c367a60712f00e0b

Comments