MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b801afb5529bee671ee0219b95450122f641260b372695c89d7bdc5c2c227b65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b801afb5529bee671ee0219b95450122f641260b372695c89d7bdc5c2c227b65
SHA3-384 hash: f7964a5c6c02aea3656d53737939f2914436c4dd3bd2626a0b816f049cae3ab3e0c129219fe59fb0996a82453092b9b4
SHA1 hash: 514fd27391c58851624b4700ee486f4dcb1515e6
MD5 hash: 62d26e6034ee056e4fcbbf1e6470566a
humanhash: twenty-quiet-summer-lamp
File name:SHIPPING DOCUMENT & PL.rar.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:546'304 bytes
First seen:2020-05-26 08:14:22 UTC
Last seen:2020-05-26 15:38:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:j46EdcXKcM5FqSQTliSbvVmRdbqxtPcOcWWtdES3IxgKUUUKS9YrS6cF6S6DghXf:j41z5FqSG4SI3ecRWK3IeSQBOCRNCw
Threatray 2'276 similar samples on MalwareBazaar
TLSH 34C48D59A7B0C813C5DC97759DF35B15D7A6E1867246F3AB03A8ACA868D3381CE321C3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: icefactor.ae
Sending IP: 103.207.38.157
From: Jozef Králik <jozef.kralik@icefactor.ae>
Subject: SHIPPING DOCUMENT & PACKING LIST
Attachment: SHIPPING DOCUMENT PL.zip (contains "SHIPPING DOCUMENT & PL.rar.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.49801.21321.27500.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 21:55:00 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1addf02f5d774ba71d7a58cb46726ef51f5ac38dcab72ffacfa06bd3df537fe9
FormBook
1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298
FormBook
20e92b95515f7d7b8d27d829bbceec491cc48d3e05997b6d9523919c468d5dd8
FormBook
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
FormBook
5c9e82fe640647e8a6f884da87e1948da693e678c6ef642c562ad782eee824d7
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
8efac0f1a783fbe5627c1fca4c211583bf045bd5671d89df9418220d66078c11
FormBook
a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
ef14e580eca50b75acae60fa7c6642fa89fc91ee8492f5193608937f4d78781b
FormBook
+ 2'266 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-tce61bvaqx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.salomdy.com/c0w/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip f3d00f6b1e78ee064a9d0284a926a86badb7da7f5a082da8dbe905ae32117f07

FormBook

Executable exe b801afb5529bee671ee0219b95450122f641260b372695c89d7bdc5c2c227b65

(this sample)

  
Dropped by
MD5 17d1269c9c0e60b60c4a25ba53d28270
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f3d00f6b1e78ee064a9d0284a926a86badb7da7f5a082da8dbe905ae32117f07

Comments