MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfde397777649775de98d115897d5f265c2319c70d6906f877e61109e1c80e80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfde397777649775de98d115897d5f265c2319c70d6906f877e61109e1c80e80
SHA3-384 hash: b6a5211ca752dcee97cc41f0be46e6be2df9656ac0a5bd28f371e346940ae5aa71efe38276f1f2f12505c7b9f1fc53c8
SHA1 hash: 34853b28b169a4f54c044bb6125af656436d52bd
MD5 hash: cf52b3aab7d638d1415adcef589e2711
humanhash: thirteen-avocado-eight-cup
File name:14020S00018_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:332'288 bytes
First seen:2020-06-24 06:29:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:wXhdSPUeMfw3TYq81+J056Zy1+1ZIAsHwdmZvtjA3iEkvdu:weNMfwjK1Ye+jIAsHTZVUSEn
Threatray 2'481 similar samples on MalwareBazaar
TLSH C764F10BB78CBA13C6B829F984C69B4413B969AF7551F7C96CC03AE129C37F559212C3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.bontechnologies.com
Sending IP: 46.4.133.15
From: Logistics <logistics@amosgroups.com>
Subject: RE: FW: orders in AMOS - NORDIC TRISTAN*Gwangyang call 14020S00018
Attachment: 14020S00018_pdf.zip (contains "14020S00018_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13468/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bfde397777649775de98d115897d5f265c2319c70d6906f877e61109e1c80e80/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 03:20:45 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7pds53xmslxlxuy2ekys7k7ezocggohbvuqn6dx4yiqtyoib2aa._file
Verdict:
malicious
Similar samples:
062778fce91ba3c9ecc4b3cc3cb5b4e3f41846699307fe2da8295c3b3da0339d
FormBook
4ad5c25440866b278662c4410e30147f8d0dc94c7c4024d56955174ed608d3a9
FormBook
666b4d8521af8e8c149431fea4f3fce4d859b9d102e894928edb0e005ad8153d
FormBook
720f6f2a125359d8b85eea767c95d0059cb46eba2fc05a53bcfbf73b5bfc8531
FormBook
7523c12a912fa702d0d82798e013bf01d7be7b4b0fd08989bdb48c04738c876c
FormBook
82bdf1c9eeecb62113d9b063bcf848c14e4cecf21950b129fefeb40d6ec95a70
FormBook
8470a2e93ae48abb1b987d9927277eb7a3bde99fe0d048274f839cc25aa3aa95
FormBook
a35d69993515cae4a630d53eed0c26a8bb5c9026db01caba7b4e8a07075d209a
FormBook
ceee0c8772c6b5a2cff7d9f3bc824c088f3c7d034b9898c74f79e11b59210257
FormBook
f4f6a523d411d3407372f81a18fe32a078e36c3715cf3b88f60fe05e6eb37fba
FormBook
+ 2'471 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-7yxqr3p7v6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of SetThreadContext
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 4ef89e083ba12cc69592ab5ee649e7a64be87d2d11cb7699be18c564dd2d45e6

FormBook

Executable exe bfde397777649775de98d115897d5f265c2319c70d6906f877e61109e1c80e80

(this sample)

  
Dropped by
MD5 a843f1c7c8727bce24c7db0000a0fdc8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4ef89e083ba12cc69592ab5ee649e7a64be87d2d11cb7699be18c564dd2d45e6
Cape
Cape
https://www.capesandbox.com/analysis/13468/

Comments