MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1cd1dfe3657445da551255b38ae6eab649729dde0bf68a3df112c4059855df4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	d1cd1dfe3657445da551255b38ae6eab649729dde0bf68a3df112c4059855df4
SHA3-384 hash:	ba4eb724c50d0c3856863bcacaff2fa054a9864709ee96e86ac0db977ec1486c692030220d71ca6be63f12684b18310c
SHA1 hash:	4f10ae59e42ae1b80ddaff3ad92f05a101c72029
MD5 hash:	413cc7e7533e9a07eb1ddbccea8a6aa0
humanhash:	may-tango-moon-sweet
File name:	List of item.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	301'056 bytes
First seen:	2020-06-11 05:55:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	6144:lFAIuvq8lFeqEAgwlvFuHToB9Q5JMOCgPNAcjpeIxbX/KdjW5:Pui8lZEfwlduHWQ5JMOxNJwWbidK5
Threatray	2'353 similar samples on MalwareBazaar
TLSH	A7540288B7BCE753EE7E17F984B216814774BC192963FB0A4DE471E609373940990E2B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: mail8.kracktus.live
Sending IP: 157.245.227.152
From: Rafael Bernad<account@aeontray.com>
Subject: Re: COA,GMP,MOA ORDER
Attachment: List of item.zip (contains "List of item.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/8885/

Detection(s):

SecuriteInfo.com.Artemis413CC7E7533E.30341.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-06-11 05:57:09 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2hgr37rwk5cf3jkrevntrltovnsjoko54c7wri67ceweawmflx2a._file

Verdict:

malicious

Similar samples:

0c76dbf49b51ec12d4ab052ce8e5ccce2bd58e67161e184c6dbdfdeba3014f06

1d4b91dc88ea2559572438fe3b57c6449bb5e0a66c9f3f9e90a22393caf5d30c

5205f5e4d159f32f819aac8c870fffb7612b13c0a0d12236730743b9239251df

846d2bcdab1a1342fdfcf0636d1ead7b9411d1212331ca95fb568f56ecb7842d

9100a66246aa52a3839f411bcf8763f423abd9ae1ac664ea0435d23bc0e6f03f

9cacb5c20d8617cc4d21dd39eca22349b94ae4bb9e4baf544fc25584cf0288de

b186287c6298b4ca285cb9da1e82ffd351c4195f7673d93aa595aa987cb01676

bcbc247fa3511376777587035868c9a0f8fda850fa5f7d84c81fa5de905bc0d6

c166a4a1899462e20516825c87f9545cdc7b24654d1f18b864da4ee641af5ace

d7143a0fe03e7294be0319e92f0a78bcbe8a0e97a4a2437e5227304e0fe37d29

+ 2'343 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook evasion rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-jjr54w4a1a/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Deletes itself

Looks for VMWare Tools registry key

Formbook Payload

Looks for VirtualBox Guest Additions in registry

Formbook

Malware Config

C2 Extraction:

http://www.nacemo.com/cza/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a3f027c2c541119fdd3e29734652d331

exe d1cd1dfe3657445da551255b38ae6eab649729dde0bf68a3df112c4059855df4

(this sample)

Dropped by

MD5 a3f027c2c541119fdd3e29734652d331

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/8885/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample