MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4758d6e6dc8ddef0f36e438329c3dfb9892848d5e48dd929223327838882504. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4758d6e6dc8ddef0f36e438329c3dfb9892848d5e48dd929223327838882504
SHA3-384 hash: 76c056d78ce5b31a370ad063b701baa0b33f24b78c776ce54de5a47901de5bd71d4cbf08e05148c14b9a847bf13a0180
SHA1 hash: b2941554eca258fd9d525c7d594483e5bcfb9fa1
MD5 hash: 3b66a44282dd42c1e464a19c96c4b78b
humanhash: sierra-mississippi-harry-jig
File name:PO#92574853.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:274'432 bytes
First seen:2020-05-05 10:58:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:R6DqfCFE1glw37+itR2Mn/XOQKYEa53/qBtHYBJic8d0:ADqeE/LDRt/XmaR/qPYV8G
Threatray 5'100 similar samples on MalwareBazaar
TLSH FD4413A1420CC993E3F85D3CF4F716C91BB8D7A3E84A969F4AD39149305A79F7012C66
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.moxiege.gq
Sending IP: 103.133.109.19
From: Import & Marketing Manager <admin@moxiege.gq>
Subject: Re: Purchase Order
Attachment: PO92574853.r00 (contains "PO#92574853.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44391.1689.24088.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 11:37:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yr2y23tnzdo66dzw4q4dfhb57omjfbenlzen3eusemzhqoeieuca._file
Verdict:
malicious
Similar samples:
0008f0704652358e57b21a3bd6090a321962371c7c28f5b29909cee4f7608451
FormBook
2ad145ebeae4ff20eeb893b16658fe43d7557f30c746edc355a5dceb393bf8bb
FormBook
700f8405954cf77a38e6b103b33e4c7164202e9126b3b76044be35510b2bf440
FormBook
916237116e09e4233846389b7410a8ccc7e7ef96c0ed97c3fdb19a08499504af
FormBook
a09022457c7802a48a3f2ef32b8008da65fb4b28b43c8e6ac37c44f0a3ecc028
FormBook
a85f53a7ad2f536d245e47535007f2bceacfa10f08d7f3f6568781dd1794caa0
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
FormBook
e2ee2925682e188e41fcdf49f0274de4617fc3a9506ad31be7a9caeca6d21b38
FormBook
fa8688776f5af3521ba0bef117fdac64d2473286ad637f9f55313dd2f049c32f
FormBook
+ 5'090 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-rbxtnwdyjn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok3.info/8ss/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

r00 183ac9cd489605b2a26f9971454a4eab32f406455d88328a6a9fdcdcdd8484d8

FormBook

Executable exe c4758d6e6dc8ddef0f36e438329c3dfb9892848d5e48dd929223327838882504

(this sample)

  
Dropped by
MD5 e134f0ac480e7399aaadfc59a2dd88d9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 183ac9cd489605b2a26f9971454a4eab32f406455d88328a6a9fdcdcdd8484d8

Comments