MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd7c17b39ab5f775700bae65b0930ae6b18e674036b6939c7264a9e7f14637ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	bd7c17b39ab5f775700bae65b0930ae6b18e674036b6939c7264a9e7f14637ad
SHA3-384 hash:	8484159b8182df2dd9601a5cf5b8c6d6894f87788325253af853ae8678ae28867f37142f3d75191635aad1f0d917d464
SHA1 hash:	0737254aeddb3e43995b996a2ed2f890dd52ef7a
MD5 hash:	1d3d99898d0fd21c0db2e7c705480b72
humanhash:	six-magazine-nebraska-lake
File name:	Invoice.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	406'016 bytes
First seen:	2020-05-26 11:09:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:XCx9dY0XSYSiT9sdYG3iLIhFhStNXDAGA3p:Xm9dY8+iT6P
Threatray	5'100 similar samples on MalwareBazaar
TLSH	69845A5B3250F19FC417C97E89983C20AE616CE6531BC203A0533EAD993D69FBF1D5A2
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: farshik.com
Sending IP: 94.100.28.181
From: Emdy oit <smtpf0x-hw4rl@farshik.com>
Reply-To: smtpf0x-hw4rl@farshik.com
Subject: Order delay
Attachment: Purchase Order 202005.iso (contains "Invoice.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

93

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-26 11:37:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

11

AV detection:

23 of 30 (76.67%)

Threat level:

2/5

Verdict:

malicious

Similar samples:

1be61c2f6e006dc35f4d81b2797d967d2a4ff04f854679d334abf13ceec8c508

1c17fcd097bdf870469b6ae65ca22d42ed57f250d411d9123a259146c8056362

1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298

34c443f1958966963f6976bd37eefd299c17dad91759a54166e3056da8f0ad0e

94b89dec963ec5d8d9440acb8690d79494187187d36d0f964da12bba0cc1cad3

ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22

c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b

cb79e22a86732bd8ccbb3d73dcc9ef716e305c85dfed8872851c273d1eaacaf4

ccfcf14bca2ebfe80aa2c5cfa4cf42330925665faa0b6300098c4d36f1c01695

dea5303370177b621cdd1fd497396ddaa9e94d3edd1407339f52f0dc85a67046

+ 5'090 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan persistence

Link:

https://tria.ge/reports/201109-egtktmbfts/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Deletes itself

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.salomdy.com/rck/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 7987f82ea939a4a41c4d99a49a82ff2ccb1256dc8b8923e7a9860ff1739807ae

exe bd7c17b39ab5f775700bae65b0930ae6b18e674036b6939c7264a9e7f14637ad

(this sample)

Dropped by

MD5 394bf88161f5d558fe2fa18606ee43b4

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 7987f82ea939a4a41c4d99a49a82ff2ccb1256dc8b8923e7a9860ff1739807ae

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample