MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b
SHA3-384 hash: 66b3725fcd1735750cc5f8e6d1887d951ec3a3c7b6764429649739c30d644f32c557e7cffd20f9114c101bf95321d5db
SHA1 hash: 689bbeb42d88436b6388f42133e3d79e077e1b14
MD5 hash: e19f2c8f75ec33d61e158c2164c5cb94
humanhash: virginia-magazine-august-oscar
File name:PO HT54336789.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:830'464 bytes
First seen:2020-08-18 06:22:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 639357242ed279ceaa4726408d2cc6d5 (10 x AgentTesla, 4 x Formbook, 3 x MassLogger)
ssdeep 12288:yHlYcrKanXHzeEjMx6p4ddVvjUip3GKfm8LonwpewAMz/2j7A0S:yF7OuHzkK4d7403c8UnpwT/2x
Threatray 2'244 similar samples on MalwareBazaar
TLSH 5605AEE2B1E04837D1B22A7C5C1F72B89839BE133AF8594B7BE40D089F396513565E87
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: emirates.net.ae
Sending IP: 185.222.57.214
From: alsumood@emirates.net.ae
Reply-To: alsmood@emirates.net.ae
Subject: RE: New Order PO543012
Attachment: PO HT54336789.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47515/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BScope.Trojan.Crypt.5088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 11:17:11 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xctqfbnezevc6yu3zopqx2x4z5nmoputjyueag4xblkmu3mlyyfq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
26f40af0e83d93213e01539affe12f208bdb65f2dd98223b1662c22eb4e243b5
FormBook
353e4fd91fe618f5c22c9cae00e7575e9b1914576ff7e332d03ca3e9f7dbbbbc
FormBook
59793c1ac9d8537e06996b0a09f161deb98a77d527b0bc97b18e15972f120a2d
FormBook
8f06b49b371c6b257b716689b767ebf4bbc75391d0cf152b9bbe498ef55d017c
FormBook
a76588c6088ba6b56904fa50df8547ff3b93a67b520769d73e92b04bb8d718d6
FormBook
a8534e310ee42756cfc01caf1eeddc8f4bca6e7e7f36de1a90f5c6ccc480e90a
FormBook
aa75e63b890a713e629ed607eb77aceb60982bd0027a9189893c0ac63827f116
FormBook
b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0
FormBook
bfb2fd4412e9cd136a794f61436d597d7d58fb4fd842509dabe7a70344e4fd97
FormBook
e3262e18e77da24473b5af2117f10a3121c8ed1a832c6e1b0f5a8f0d7e5fecda
FormBook
+ 2'234 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200818-p5ek9eyrqa/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.com/juw/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47515/

Comments