MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcdd457e51bde64c24cf118ac54c8489efbc4bc55b5f1afc4facdfe673d3543e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcdd457e51bde64c24cf118ac54c8489efbc4bc55b5f1afc4facdfe673d3543e
SHA3-384 hash: 0c91279a70a9b2a1488f9d4e57525bee6b2d340cb869e2595659f2a806bb3c067810750626e27670edf195b6702b8fdb
SHA1 hash: 6eb95f694e04e67144a2a6cb9f5cf11bebff52ba
MD5 hash: 722b7627dd1fa511d31511df19ee5e8f
humanhash: london-white-enemy-bacon
File name:Remittance copy.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:388'608 bytes
First seen:2020-08-18 13:12:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:B9+F9vQP5cgF1xFw/cFrY7/wwn8knc5JTKnCpZDMHMUvIwn5tu+3U2SuQ:+9vQP5cgTxFw/7bFnNn1HMUB5Y+3U9n
Threatray 2'405 similar samples on MalwareBazaar
TLSH 8984E01CBA14B29FD82BCD3AA9A41CB0476162775307F2435C5399DB6A1DEE6CF018E2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.environment.go.ke
Sending IP: 41.89.1.174
From: ADMIN <cas@environment.go.ke>
Subject: Balance Payment_Y/ref Invoice No. 309320_ EK
Attachment: Remittance copy.rar (contains "Remittance copy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47891/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dcdd457e51bde64c24cf118ac54c8489efbc4bc55b5f1afc4facdfe673d3543e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 05:40:15 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3touk7srxxteyjgpcgfmkteerhx3ys6flnprv7cpvtp6m46tkq7a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1bfdb7e4f0aadba330b6017c2608570e791bfddff789d128ecb5ca9a5a06e6fe
FormBook
263573ece93d13d69ed99ea6be5715ca5b15e1877ed09a274ca9cf55f4d16a22
FormBook
381f02195474516491ab7964f7c266d5b8dfb99e0b84b359bba583ba6fd8ff88
FormBook
673aa6ede02270b33f4a7058ec4e31eabd688ca4c75037ed4a7f92470a42a271
FormBook
7cc4e45a2448e81c638cf0a84c269d7d926135647f95d318279429587d462e9a
FormBook
8ae81522b85b942557d654bd85f719d2a8b539106e787c451f0d2856effc6ca4
FormBook
9f20023fc4c5c192804b85d3d206b9b78cbce88746d8611a69d27f40228d1f0a
FormBook
af27bd7180ad756460e32f2ae56db7cbdc8a79e73a36b261a96f803e5b051fd5
FormBook
b502f774e9192f77aa713347f2747b67df5a473be721226bf0b2d98bdff8a835
FormBook
c9522b2123a5c1d678125fecafc722f82d46c099f6c1cbcca6b95c2911130927
FormBook
+ 2'395 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200818-jq6f9cv5px/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.iskovlay.com/mcn/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcdd457e51bde64c24cf118ac54c8489efbc4bc55b5f1afc4facdfe673d3543e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 1a4809d9659b8a22d5d49392e0fde83c9eec86edcfe5900a7ffd78524c0b3b8f

FormBook

Executable exe dcdd457e51bde64c24cf118ac54c8489efbc4bc55b5f1afc4facdfe673d3543e

(this sample)

  
Dropped by
MD5 36a462af7f1045560fe42ecae544586f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47891/
  
Dropped by
SHA256 1a4809d9659b8a22d5d49392e0fde83c9eec86edcfe5900a7ffd78524c0b3b8f

Comments