MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2fb5b8b623b7bca926fc2d6e92fa81360e2375af49a6d08ce1391282a9b4276. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	d2fb5b8b623b7bca926fc2d6e92fa81360e2375af49a6d08ce1391282a9b4276
SHA3-384 hash:	41129398cbb53c05132b677275952d2b443701ffbb5e7eff28d00e7f754e4f562ef7821377f303877e0189170958ce63
SHA1 hash:	524b664b10743fae8da8a4a0f05bd5cd6ebaf948
MD5 hash:	1fe9a5d2599ce2b23b298d1bb22dabe3
humanhash:	bakerloo-mountain-two-triple
File name:	Purchase order list 2020.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	292'352 bytes
First seen:	2020-05-11 09:17:35 UTC
Last seen:	2020-05-11 09:58:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:wE/EePx3LzD7NKuLhz0bM+w0K7JUyjcTMUhLpC8cC:wEnPhLzD7NNzYG7JUD/hLp
Threatray	54 similar samples on MalwareBazaar
TLSH	E554011BEF3C8637CE25C6BF88B116B9436003FA0502D7BBAD4638551CE73549691AAF
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: keo.com
Sending IP: 185.35.67.19
From: rosie@gwgmts.com <wyatt@briannterry.cf>
Reply-To: franccmcleather@gmail.com
Subject: Purchase order
Attachment: Purchase order list 2020.arj (contains "Purchase order list 2020.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.45549.11508.19679.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-11 04:02:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2l5vxc3chn54vetpyllosl5icnqoen226sng2cgocoisqku3ij3a._file

Verdict:

malicious

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-44zjsye3mj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.mansiobok.com/sh28/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj df3437e99c6f8b832746d597f16e291a4d2242373587ad349af792ded72f2eec

FormBook

exe d2fb5b8b623b7bca926fc2d6e92fa81360e2375af49a6d08ce1391282a9b4276

(this sample)

Dropped by

MD5 65316c690d10952c39950ca7bf8e1c56

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 df3437e99c6f8b832746d597f16e291a4d2242373587ad349af792ded72f2eec

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample