MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
SHA3-384 hash:	a59e09ffc9f674a0fdc39d6891590c979356c96e037e904323da50f64db14efe51c4846e0412fec49bf6b5e38363652a
SHA1 hash:	4defd3320fc96ac6f77f4536a808048acb66cbc2
MD5 hash:	4911c564fb9093adbd7b5a724a66c10e
humanhash:	neptune-echo-magnesium-grey
File name:	bank copy.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	330'240 bytes
First seen:	2020-06-05 07:31:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:Xqz2thqqnxDdXY4L8Faonlv5DF0rd+KnEwnjbkTFGBsghlK:Xaqn3XYTnh9F0rd+DwjQTFG6gP
Threatray	4'925 similar samples on MalwareBazaar
TLSH	A964088C5D9EC1CAC6750FB856CED9EA46D90FF30F22887AB5C84BCBC121785F50A526
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: server.neileshcorp.solutions
Sending IP: 162.241.215.144
From: Sun Yu <dinamikakarg@post.com>
Subject: payment confirmation document from our bank
Attachment: bank copy.zip (contains "bank copy.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-06-05 05:17:01 UTC

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xhgyhrthw2koyehyqqmdwe4l52yptbvh2pcqv5ddknmff4x2azrq._file

Verdict:

malicious

Similar samples:

1621dac1140afd3e3eed4b0f4ab0a93e81cd56c76e7532a0cc03d0b5a8dae04d

228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4

344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be

3a7e2e98243c188fbda3734b22856c30febb41d1f7e0ddbc034906288aa72dae

45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f

6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99

783c6835be34af1803983890ec14e1edb2ac7cef4442dff43cddb719d97236b2

9c5d88a1518cd310e763757d9acd267ed5741d6c79036e1053381729a0d700ca

ede6df4a8c12ce93266ac2c5ace537e336600a441aa5a271829a5013e8fa20c0

f3f3cda95f4d655f189381268676beef7ab70ed8355ff178abcad416c71adb22

+ 4'915 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-m7lb4ha2j2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

rezer0

Formbook

Malware Config

C2 Extraction:

http://www.tromagy.com/g8u/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

95ece3e54f0b57155d81e20d64201f0e

exe b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663

(this sample)

Dropped by

MD5 95ece3e54f0b57155d81e20d64201f0e

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample