MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3dbbb858177e3f3bae3fd5501eb0c8d4109ed87b534dc97e50a2142f616201a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3dbbb858177e3f3bae3fd5501eb0c8d4109ed87b534dc97e50a2142f616201a
SHA3-384 hash: 243c035c0fd2a3f1e9978ee65f30139d303cb6e72ea6f908b7ff9579ba57aa4a0fef7aafce33d360b5db66ce8e639a0e
SHA1 hash: 24bb123ff7916de1e332ccf24195622e17ca9788
MD5 hash: 0a8825c8efd3aa13a9994a6baeba60f5
humanhash: timing-nevada-uranus-green
File name:Inquiry.pdf
Download: download sample
Signature Formbook
Create hunting rule
File size:420'352 bytes
First seen:2020-10-06 06:10:13 UTC
Last seen:2020-10-06 07:22:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 6144:CKf+0/hitjkl6VgxLNxWOFCcjmeBKCI9qVPjaXw+lTw:n2glBLNsgCcSeUFL9
Threatray 155 similar samples on MalwareBazaar
TLSH 5A94AD7D76834B6DC96E4271816180C1F67612C63F61CA0E71EB630C0D87A8BA7DB76E
Reporter abuse_ch
Tags:FormBook pdf


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: atl4mhob23.registeredsite.com
Sending IP: 209.17.115.117
From: rr <rr@educationaldecisions.com>
Reply-To: rr <rr@educationaldecisions.com>
Subject: New Order & Inquiry
Attachment: P.O. 20388-RI.zip (contains "Inquiry.pdf")

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68451/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Creating a process from a recently created file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/482395
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e3dbbb858177e3f3bae3fd5501eb0c8d4109ed87b534dc97e50a2142f616201a/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 02:54:42 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pn3xbmbo7r7hoxd7vkqd2ymrvaqt3mhwu2nzf7fbiquf5qweana._file
Verdict:
unknown
Similar samples:
1d6ebe730f9e4982f8d897a909ef1b575ad8c4bc9483666979b738de92982cd9
Formbook
364382b6fb6aebc6c7faca44b8a97451012467639f12962715a9e178d9099e18
Formbook
659c836026b1ee353c16584705804815ea357519b446db36822fb40bed5ab320
Formbook
6a25765e7d969b6c324cc461b08d947d49204191d97f620b4a74ba0f6dc744ca
Formbook
73f6286bd85316cb72796f461e1ad724b8434837f1a10a4a625862c3a7e3c173
Formbook
93129fbf583ce2e637e0a21c490a549e1597902179636ebc13a7c937b5707782
Formbook
b2fe9bcc932ea65ec98318fd983e862172123cab111e728d97c23258749521c7
Formbook
c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780
Formbook
c2981a728305c1d0acf84d81922860e2d864409d8602b499258b4e51e9e04c4b
Formbook
c62ef08103c30d5d2d18fbc2eff820985af40aa377828ef72c3ecad495103511
Formbook
+ 145 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201006-9f3t2k1g8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
e3dbbb858177e3f3bae3fd5501eb0c8d4109ed87b534dc97e50a2142f616201a
MD5 hash:
0a8825c8efd3aa13a9994a6baeba60f5
SHA1 hash:
24bb123ff7916de1e332ccf24195622e17ca9788
Link:
https://www.unpac.me/results/fe3faab3-16f3-4d06-a76f-3461f87eba37/
SH256 hash:
b80155dbd80f8bc5d3f59e08df47aefa42e73612aac6e8845fad3cae516cbdb0
MD5 hash:
0478256ba4237f2e33b77f8127d9a145
SHA1 hash:
560f2cd098bd81c18174d980652b28a8c90c48e2
Link:
https://www.unpac.me/results/fe3faab3-16f3-4d06-a76f-3461f87eba37/
SH256 hash:
d065744c83c37b059fd345011b6c21297a5de8bc5ebbc93f05add6315bee770a
MD5 hash:
17d8bbf85363bf3ca0f6b4d0154dfeb7
SHA1 hash:
6295dcb6bfd8907d47b3db14d0d4b230c4f07186
Link:
https://www.unpac.me/results/fe3faab3-16f3-4d06-a76f-3461f87eba37/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/fe3faab3-16f3-4d06-a76f-3461f87eba37/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
a7ea57c7bf17b3bbe5b6c01f9c95886dcd3f04c30c45b6ad002437805309bb51
MD5 hash:
88c614f5bed980fb37d354924190cb59
SHA1 hash:
68700da38792f5353a7475cbee8b00c71d55b557
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe3faab3-16f3-4d06-a76f-3461f87eba37/
Parent samples :
e3dbbb858177e3f3bae3fd5501eb0c8d4109ed87b534dc97e50a2142f616201a
8676171a61775f7fef94dbc24a3fb4501d001d6b7e0ef7249ba517b41f011c10
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3dbbb858177e3f3bae3fd5501eb0c8d4109ed87b534dc97e50a2142f616201a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip eb6f89bae4fa461dfea91ca99563c4fd0ef8d3e5d876eb8e1944c99c6ce75760

Formbook

Executable exe e3dbbb858177e3f3bae3fd5501eb0c8d4109ed87b534dc97e50a2142f616201a

(this sample)

  
Dropped by
MD5 a415015a05200548a1b6deda94d13efe
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 eb6f89bae4fa461dfea91ca99563c4fd0ef8d3e5d876eb8e1944c99c6ce75760
Cape
Cape
https://www.capesandbox.com/analysis/68451/

Comments