MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6d5e1fdae2634a3a2a29a8c5de69f725ebceefba86d3700bc922aac7f55a1f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6d5e1fdae2634a3a2a29a8c5de69f725ebceefba86d3700bc922aac7f55a1f7
SHA3-384 hash: 62d961dc145a7c5df6f06fee913fa65dfc13a3eb9c23019ad1928ffb8ed2a4e16df16569fda4965d83ad50f2e3a4ece7
SHA1 hash: 262ca1cc044fe20304420bd9184661c6cf7bebc3
MD5 hash: d05c5365965df3ef448bdb813427767c
humanhash: bacon-equal-angel-steak
File name:payment
Download: download sample
Signature FormBook
Create hunting rule
File size:823'808 bytes
First seen:2020-05-06 17:10:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46978de0f8944a65af1673d613222a98 (5 x Smoke Loader, 5 x Vjw0rm, 3 x FormBook)
ssdeep 24576:nNR2zaQBt37/CZ0w1PeWnzqhqCC6+PEsQ:+UsrC6aER
Threatray 2'268 similar samples on MalwareBazaar
TLSH D9057C12B3D3C1B6EFA225F2C5B553320939BC38173CA6DB7390392EE9A06C16A75355
Reporter abuse_ch
Tags:FormBook payment


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.armaniousgroup.com
Sending IP: 196.219.214.52
From: Iffat Marashy <peter.remon@evapharma.com>
Subject: Fwd:payment from bank
Attachment: payment.zip (contains "payment")

FormBook payload URL:
https://paste.ee/r/Wy6V2

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2924/
Detection(s):
Win.Malware.Autohk-6995517-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Scrami
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 01:39:22 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3k6d7noey2khivctkgf3zu7ojplz3x3vbwtoaf4sivky72vuh3q._file
Verdict:
malicious
Similar samples:
3afe4dd1466eb99bc7ab905a2363173dc043f9060982c49b6f5da73293f7d6ed
FormBook
65c86813da2eb5bfc495e538fa4e77f8c3a3c03418e655ac8262bc0aa42281ba
FormBook
693626ad4ce750ecb027980dfb505ca69872923702dfe564e0adcb651e8c60d9
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c
FormBook
cb663a4fa79cb0fcb52c3049b65b1a012c45e72badc13c931fc2c72a8a94dcca
FormBook
e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93
FormBook
e971ff222148de51a5cb8aa8648b76b727179bd39bd2e01b5824c9e752fcf147
FormBook
eecf5fa7aabf91128e8b3d5a6b6541ccc4e379c18cfe1d35f2473740a192e8d1
FormBook
eee468bff615adfd8c7b6afc3dc8d064e5076e6175e7d28e233983e08a0a4426
FormBook
+ 2'258 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-eck71w4v4n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
Malware Config
Dropper Extraction:
httP://paste.ee/r/Wy6V2
httPs://paste.ee/r/mbstg
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip fbc74bac868ddd18b7b8214f0a8d07458012a51b7659eda32ec19faa001e4534

FormBook

Executable exe c6d5e1fdae2634a3a2a29a8c5de69f725ebceefba86d3700bc922aac7f55a1f7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/359005/
  
Dropped by
MD5 4da15fe2907aeaa0f350b49a1bf0a067
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fbc74bac868ddd18b7b8214f0a8d07458012a51b7659eda32ec19faa001e4534
Cape
Cape
https://www.capesandbox.com/analysis/2924/
Cape
Cape
https://www.capesandbox.com/analysis/2922/

Comments