MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d796f6805d3b2379a57954f070415cabded6cf360544f1ba36acb75d558449db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	d796f6805d3b2379a57954f070415cabded6cf360544f1ba36acb75d558449db
SHA3-384 hash:	ea26f563641b69952913e338b48f93f1f1619bfaf54698f37f22f229fe654b70105093b24c6d383cfd6c2a9ca41f41df
SHA1 hash:	8d8c3ef4a581b28c93ebffd2dd6f8c06f1f42446
MD5 hash:	7df9a7f352c018c778c850727074fb09
humanhash:	asparagus-sad-xray-diet
File name:	HS361 dt 22.10.20.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	465'920 bytes
First seen:	2020-10-22 07:41:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:m5LGM4cDvQ/ts9gCGBo2XN1gXCZjtZSSpTuMQgvqutGOKqdjWscDYnpUl4SPemuq:mwM4WQ/c2V3yMQgvquQOhBWseYSl40
Threatray	4'683 similar samples on MalwareBazaar
TLSH	6BA4BFB27C92587ECA6E0771416984C1FABA16C73FA48B0D725F830C0E15A2BFB57257
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing unidentified malware:

From: G Joseph <support@qbasica.com>
Subject: FW: Freight Invoice - TRUE LOGISTICS [P] LTD
Attachment: HS361 dt 22.10.20.zip (contains "HS361 dt 22.10.20.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/74552/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Running batch commands

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d796f6805d3b2379a57954f070415cabded6cf360544f1ba36acb75d558449db/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-22 02:54:16 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=26lpnac5hmrxtjlzktyhaqk4vppnntzwavcpdorwvs3v2vmejhnq._file

Verdict:

malicious

Label(s):

formbook

Formbook

410b12d131a36c0b5be88c52e6ad02a1e50b20c4d80f30de42ea5a260fc92624

Formbook

6d793847fa7272019425c00c17e6f84f719a74a926219a6f6a9c7d96f033fc48

Formbook

765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037

Formbook

9295ce88660ed117b7cfff0886232a51dc6492bf6100738957bf93fabdb74bb8

Formbook

af61853ca27001c0721463fce68bb033a9084e9fcd0c6ced3acd7fc3ea0e957a

Formbook

b35bd4c70b7e7b6ef3a3a0b1196720b542e78137476b52380b352af1633432b2

Formbook

d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c

Formbook

e04b0836667f55bcc1778c62761c99af52cb5c42c14cef3962531512def2944b

Formbook

f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c

Formbook

+ 4'673 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/201022-qxvpy3gvy2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Adds Run key to start application

Loads dropped DLL

Unpacked files

SH256 hash:

d796f6805d3b2379a57954f070415cabded6cf360544f1ba36acb75d558449db

MD5 hash:

7df9a7f352c018c778c850727074fb09

SHA1 hash:

8d8c3ef4a581b28c93ebffd2dd6f8c06f1f42446

Link:

https://www.unpac.me/results/da763df9-d83c-4f8e-a94d-38dd33f03765/

SH256 hash:

d251f33c578b44146aee824a95ff1e1f9a725c8d3e5d03924ce4227338c0c6fb

MD5 hash:

b47e8eafd28086d8b02d9a37787139b6

SHA1 hash:

2b120487d7f2f693d542fbda126491c0a3092ebd

Link:

https://www.unpac.me/results/da763df9-d83c-4f8e-a94d-38dd33f03765/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/da763df9-d83c-4f8e-a94d-38dd33f03765/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

d97f88b1ee3cad60391e782a50d29bcdc1d1e45982596b96ca551123feaf493e

MD5 hash:

23f3b8ec6e1bae5ab3c38698ddb69cc7

SHA1 hash:

8ac62a203cf5abdaf5726a0979144a5aa7fd7010

Link:

https://www.unpac.me/results/da763df9-d83c-4f8e-a94d-38dd33f03765/

SH256 hash:

b55df4ebfc5541dd6563c67c7bd86cde5569404ccfcc27bc084eacf6981fd442

MD5 hash:

bff16fcabf604a4a0136274f2165ad93

SHA1 hash:

bf3f86133fd623c6d8082bab202ec99b5dcbf9d4

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/da763df9-d83c-4f8e-a94d-38dd33f03765/

Parent samples :

3eff0b006dd228c5e1a053f73aea5ca950681ca899f4428771a94300d8844c72
d796f6805d3b2379a57954f070415cabded6cf360544f1ba36acb75d558449db
b29f18da9764550d7f358b748e5a398f6cda7c92645b7cb311fe4dae2b492a05

SH256 hash:

66dc74443453711b2e742951e77b0c6693de7e9489c67a463f6f2b21158760d1

MD5 hash:

66bd32648f1fd0d7ef701b259a8edeb6

SHA1 hash:

60b94f1d82922b5f6cfe6e0542707a1972241b9f

Link:

https://www.unpac.me/results/da763df9-d83c-4f8e-a94d-38dd33f03765/

SH256 hash:

4eba9a7b577dadbc6ef5cf7eb9c923ead9bf6e92d4561b979926e89f7171eb38

MD5 hash:

61c8bc304dd1bd94883f4a6477ecbabb

SHA1 hash:

d558cef1137bc26cc396d9170803d79cf41b1525

Link:

https://www.unpac.me/results/da763df9-d83c-4f8e-a94d-38dd33f03765/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 5d3ee1e67e3e948bd111d6df4671d71e9df024ef8e37b3fa9cfee095de8e2847

Formbook

exe d796f6805d3b2379a57954f070415cabded6cf360544f1ba36acb75d558449db

(this sample)

Dropped by

MD5 49bf3a70ee91ce423fbf03b4b22abb85

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/74552/

Dropped by

SHA256 5d3ee1e67e3e948bd111d6df4671d71e9df024ef8e37b3fa9cfee095de8e2847

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample