MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1103e6f026f85275a21a6263a141142a733a222c923fa7232c4c9935681e91d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1103e6f026f85275a21a6263a141142a733a222c923fa7232c4c9935681e91d
SHA3-384 hash: 4803108c456d71c2eef3428d94208b0f87783bc12460c1087672ea63f3c3b132c75d1f7ac7f8387b0e691acda4c37d70
SHA1 hash: 3257330816c03357a67348c3d36ca166e6daaf27
MD5 hash: 3fbf337a60ac42bfbaf8323ea191bf54
humanhash: kansas-massachusetts-lamp-mobile
File name:Copy22.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:377'856 bytes
First seen:2020-06-20 12:53:01 UTC
Last seen:2020-06-20 13:41:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:FFDFgvs6yRFxq0T6RsxijvMOT456K0P5UPAjUDuT9kgZQZjYbdM:6s6yR7q0ZmUOT45IPqPAI4Mj
Threatray 5'103 similar samples on MalwareBazaar
TLSH 9D844B5D93604297F1082B35D67D7E1902203CBD75C2EBD4B6A9BA17EEE5BA2183301F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qproxy6-pub.mail.unifiedlayer.com
Sending IP: 69.89.23.12
From: Mrs Anita Julia <accounting@gadingcakrawala.com>
Subject: Re: Bookings
Attachment: Copy22.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12329/
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.225296.11009.26463.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-06-20 11:28:38 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4eid43ycn6csowrbuytdufariktthirczer7u4rsytezgvub5eoq._file
Verdict:
malicious
Similar samples:
0df0a487b38b5d9bdbc8e2c05ba4c639dfe09969f5f68c85da43b46c16a48f6b
FormBook
22bea0d09946c96b55c60951e5ca7d63a6afad7e5f9fbdbe15d2c6c7b187ddcb
FormBook
275537d87441c354b859273e0729177d78f185bebdd9a86fac240a3f168a80a3
FormBook
2ad4a02a1f907b8036b9bea0fd940bfb47435964b23ffae577080823c86500dd
FormBook
2b12d292ec4052f1e9d0c407fa6e522c945fda64796468f681c37ed68a25284a
FormBook
2cb2db5123d7c8cce87537dd8de3a48ba93b6b6ee23fa14398355173741f8c40
FormBook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
FormBook
344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be
FormBook
4fc219b61d4c1ec456ac76af0a82dcfde187dcab2b015a277c6ee96b04930091
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
+ 5'093 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware evasion trojan
Link:
https://tria.ge/reports/200624-q9rcep8gf2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run entry to start application
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe e1103e6f026f85275a21a6263a141142a733a222c923fa7232c4c9935681e91d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12329/

Comments