MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c128856d5c14b0bdf9b327cc2abbec30cfdfb5c0692f7ac57bc22551037da339. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c128856d5c14b0bdf9b327cc2abbec30cfdfb5c0692f7ac57bc22551037da339
SHA3-384 hash: 07fda2ba4e859df0de3477fefc7245dcfcf8220503820c17cbd0f525456fcd02e401fcd7a9493021206f5346757d6011
SHA1 hash: 1d0f81d6d2c82cc5c9f5a06dc08c1933a48389af
MD5 hash: 71d576e94e3417d6cb92868a5f11d6e4
humanhash: fillet-vermont-nineteen-cold
File name:payslip.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:386'048 bytes
First seen:2020-06-17 06:09:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:rVSIDFTmbfRUGCqzoWQ4L7/mfNYKo2o9hmay3XDZNOwKBJkABsq8:rVSITmbfWKufN3o2s4aCQBHBX8
Threatray 496 similar samples on MalwareBazaar
TLSH 2A84CF50B3629672CA581D36C6993225833ED50BAC87E32A16CDB1777DC17C38A52FCB
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: slot0.mcleeria.com
Sending IP: 45.95.169.81
From: TLS SDN BHD <info@mcleeria.com>
Reply-To: TLS SDN BHD <mailreply01@mail.com>
Subject: BANK IN SLIP
Attachment: payslip.zip (contains "payslip.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.54514.15714.3680.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 06:11:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yeuik3k4csyl36nte7gcvo7mgdh57noanexxvrl3yisvca35um4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
147e0bd6d82f2f3d9b402dec62020c117350407cf2871dd73a14a137ae647fd5
FormBook
2ba2967a4d170914094d511861a98d9be4f39aa45f5bed35e7d04013508f19fe
FormBook
2fa1eb179872a0c83b944f67d300e1ee6afbe4c31afa3eb687eafaa1e8571e71
FormBook
30e4e4dae89b18d6b6bc4ad98481862eed64806e84dceceaa328899185a7be02
FormBook
7cbad73d42c4241072e2163720a87762f258cbeca1584839d7ed7ee1148559e1
FormBook
9330ee2921887af4f02427f37ea2a7d0a296e2f82fe88c7001d73f74258ff92c
FormBook
977eb3104726250bc364dcb5732a75c743c502bd816aef9c813ba73cb1ce3cbd
FormBook
9ce61ae5037ceb9f8ce9dac6288d9125230dc58f58a4e1450e85081a8a620c15
FormBook
c58f0824b5c50b5988d4aa44635c1027209920bd8ab9baa6be6bd75997fc86bd
FormBook
dc61af34a94463996df082d9588b579b22f4b7bf6a63299d82cc51593b590352
FormBook
+ 486 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-ntdccp116j/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 58ae502d775314dc44f061f90d10399a7d1eefeec5b6450c73ae916be34f8ffa

FormBook

Executable exe c128856d5c14b0bdf9b327cc2abbec30cfdfb5c0692f7ac57bc22551037da339

(this sample)

  
Dropped by
MD5 7e40165da9e81463b77b2e2344568087
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 58ae502d775314dc44f061f90d10399a7d1eefeec5b6450c73ae916be34f8ffa
Cape
Cape
https://www.capesandbox.com/analysis/19127/

Comments