MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
SHA3-384 hash: 1620454c487f7fefc4642c2397f63b965ec6a0e7460545dadf815902eb5ff62a5893f543937a6805f5df80d074f246d6
SHA1 hash: 8b0099a296433b49e0c00b03d895b3e4a65feeb3
MD5 hash: 4d2fb973d84c8528bd40f4173e87dfc9
humanhash: harry-may-south-oregon
File name:PO 14544.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:685'056 bytes
First seen:2020-06-06 11:12:23 UTC
Last seen:2020-06-06 11:51:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 54cee678352cf2baae9e305445758282 (1 x FormBook)
ssdeep 12288:/c0bUnE340Xcc7ERfOxhbiBveQWDM9dOxAokv0QuNdBZAKBEPqCbXYUSM+UFuA2A:ZQ70X5ERGmBveQWDM9dOxAokv0zdBZAR
Threatray 5'125 similar samples on MalwareBazaar
TLSH FDE49D7FA6A04832F362D57DDC0B577858EABF1129285A472FF4DC4CAE39281342B197
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: oak.superdnssite.com
Sending IP: 108.163.233.154
From: Shanzay Barlund<smtpf0xeo@nyandaruainterfaith.org>
Subject: PURCHASE ORDER 14544
Attachment: PO 14544.uue (contains "PO 14544.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-06-06 11:14:06 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5keylkbqbta7q5jn45wnnokudqwrxh3wnniody4k5vbklwwenea._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb
FormBook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
FormBook
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
4359188e33f22ea7022cb6e57a3870f2613a1c37dbc483475e02b38cde5bfa8e
FormBook
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
9e4dcaf1e587af9702c21677d6447f90eff8437573e8400a8668db31d7bc7c3e
FormBook
d9ea7ed19010ef0c36ebd05d5abfd5624e21a33ad5e18ca36007671d86eba8b3
FormBook
+ 5'115 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-bldphwt722/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.worstig.com/w9z/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

uue 6d10c431a7c15c12c7db495531167d82321f21e3073db13dd5dd11c273fee711

FormBook

Executable exe c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348

(this sample)

  
Dropped by
MD5 09cb726f8bec19fe30e585e5fa938c4b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6d10c431a7c15c12c7db495531167d82321f21e3073db13dd5dd11c273fee711

Comments