MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce0792c9bcb9521a3f41b81c924c4a4412f475a551d4b8d45470739ca62b8ce7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce0792c9bcb9521a3f41b81c924c4a4412f475a551d4b8d45470739ca62b8ce7
SHA3-384 hash: 0c3c25aae9673cbc27d05f7ece9a2296fa91b42782fdbc1fcbf2f336682a9b99908ce0dfa664b1482d1ae7e734421705
SHA1 hash: 915ed927c0e4fec02924573d0406beaa031b2f1c
MD5 hash: cb5a344f00287db7601a79df3e585b33
humanhash: three-artist-three-crazy
File name:Order756576747876874653.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:138'163 bytes
First seen:2021-05-31 13:29:50 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 3072:G+ps5jEb7/h3TaKZvLg7ilomHSrpj/abDsTuBySJ+ApAPmnxb:G+m5jEf/xHpTHSrpj/s6UsC
TLSH 67D3120E6E9C2A3DDE69BB823A1E0ED07C07697093D4F24C5DD8C59D50AF96612B30B7
Reporter cocaman
Tags:FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: "andy@gmail.com" (likely spoofed)
Received: "from mx1.dreamhost.com (unknown [103.153.182.195]) "
Date: "31 May 2021 06:08:44 -0700"
Subject: "new order for may/june"
Attachment: "Order756576747876874653.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Win.Malware.Formbook-7399661-0
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce0792c9bcb9521a3f41b81c924c4a4412f475a551d4b8d45470739ca62b8ce7/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 13:30:15 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zydzfsn4xfjbup2bxaojetckiqjpi5nfkhklrvcuobzzzjrlrttq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210531-y4ng23vpj6/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.paddlersonly.com/prn/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/ce0792c9bcb9521a3f41b81c924c4a4412f475a551d4b8d45470739ca62b8ce7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz ce0792c9bcb9521a3f41b81c924c4a4412f475a551d4b8d45470739ca62b8ce7

(this sample)

Formbook

Executable exe 046bf8a6c9bc47b10b80a2ca83289714a931b5d10d864e02d2e20fdc09301108

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 046bf8a6c9bc47b10b80a2ca83289714a931b5d10d864e02d2e20fdc09301108
  
Dropping
Formbook

Comments