MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb7d7db00c98fc9b833c3da4a614e726380c6d0a8d5fe45e12ec4209ddf85806. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	bb7d7db00c98fc9b833c3da4a614e726380c6d0a8d5fe45e12ec4209ddf85806
SHA3-384 hash:	ad2a53909cf9c47856ce9a4ed2ea0b373de15c98d8b19232646e423beb8e313827a0e5262cb36c36e692b23c90b6efde
SHA1 hash:	cc61e8747fa5fbbd92ea0f9584acb6b7241e7345
MD5 hash:	b206954252a57389f91172d24303b448
humanhash:	wisconsin-golf-eight-solar
File name:	PO.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	330'752 bytes
First seen:	2020-05-29 05:54:23 UTC
Last seen:	2020-05-29 07:09:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:PY+HuHXHZJn+hEYXR3Uwp9Y996IT9ZiiU6zvdSNSGuV3tvaUU6cASp3T7tGn:PKJn+hE4RI9kIT9wiUkvaHKvaUmA+3w
Threatray	5'139 similar samples on MalwareBazaar
TLSH	2664D01172AECF73DABF87FA80E5644103F672627062F345CDC670D22666F408A85E9B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: rapidfast.dnsopt.com
Sending IP: 37.187.72.219
From: Armenia Digital <sharjeel@fisherash.com>
Subject: We are interested in your product
Attachment: PO.rar (contains "PO.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.49533.913.25224.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-29 01:21:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

10

AV detection:

32 of 48 (66.67%)

Threat level:

2/5

Verdict:

malicious

Similar samples:

2151298323c73bf6173dc2887e1f50d78d493d3029f3da3b525e48f3aeea5e47

64379371f079edd1bb0d1a26a98e0a487c4e89a468f60674d803f929d24d3ecb

6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb

8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2

8c57c150d120c496a04aaad020b5458e8eff5f3fd69704a581360c785288c8d0

9b727d12d8d7a5568f0e1e4aa4d5e50365e7de1a213f672c68db74aae0f68246

a0c33533f61ee5c6065bf97a8e821512778417f2d51b205637af5324a68aa162

b189f4b81e32c2be2c252d6f6ba160bf8566aa74be9642af4af5e3b424be54ca

b43bca6dcc03b6c289b15fd6dde4bde2dee13d024f08b0ca47efefc9d9aa3d8c

ce6d1fc239eb571fde9427c0d7f11d7b6a7a1c0466711524b690ca0de3556a6b

+ 5'129 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook coreentity rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-qvf4qz5n5j/

Behaviour

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Gathers network information

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.spatren.com/duj/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar af69618c19ea170185bd24b3933d3bcbfef8cebe423274661da9001d6ba1ae9c

exe bb7d7db00c98fc9b833c3da4a614e726380c6d0a8d5fe45e12ec4209ddf85806

(this sample)

Dropped by

MD5 5e6ac34d128b61f14f548f43df6b4062

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 af69618c19ea170185bd24b3933d3bcbfef8cebe423274661da9001d6ba1ae9c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample