MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea95c0511e50da3a5225f551733b37b0b8f117b42dacd071620984fb550a00c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea95c0511e50da3a5225f551733b37b0b8f117b42dacd071620984fb550a00c9
SHA3-384 hash: dddd8dabdebe96c771d443f7116915f113de55418cf074fdf458f5560bf5dabd5a6405a034bc2d9346f80e25d80515ca
SHA1 hash: 194cb45026daa7ae7b098dff78838c077b854d73
MD5 hash: c1772685a60a21134f948ded4654fb6d
humanhash: equal-burger-skylark-mango
File name:MV ARCTURUS_RFQ_SPR024_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'270'784 bytes
First seen:2020-05-22 07:20:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:Ntb20pkaCqT5TBWgNQ7aBGviVqysl0rdDhD8KXE66A:+Vg5tQ7aBWiVqeDhD9r5
Threatray 5'001 similar samples on MalwareBazaar
TLSH A245D01373DE8361C3B26273BA16B701BE7F782506A5F56B2FD4093DAD20162521EA73
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: lh001.interdominios.com
Sending IP: 93.174.4.62
From: BULKSEAS MARINE MANAGEMENT S.A. <infoo@bulkseas.com>
Subject: Fw: RE : M.V ARCTURUS - ARC/SPR/024-20
Attachment: MV ARCTURUS_RFQ_SPR024_pdf.xz (contains "MV ARCTURUS_RFQ_SPR024_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 07:51:00 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0b754578fd025440dc9661b2a4f0c853fa57a9dbb2c33d27ff7802176d38238b
FormBook
22948624c2febb3129079dfea0d1461ec0649c4f60ab69994876b9a8836a1142
FormBook
3188ff8a40a461c9e4e386a62daefbe7033034a0c28cfb2b02c20874b7f53b92
FormBook
4f51da0a7034a3b491bf21d56896d2cc97f5f240911abfaeacfe73d80bd84a34
FormBook
60c5b12508b9f3e9f77cd3a6f8e4b9f3cd546bdc97a76c21b0d758712d9ea4c7
FormBook
8d1512de63fd1bf66f80c8ec2ec640464a6ce986101849488372a38fed2bcfb6
FormBook
9465c69c18144431c36b77e4b36534684c7717f1d9970eb522b8aef716dd2458
FormBook
b6b19634b174ec68dacf4a4f936d8ad91e4374737de56f1e3995b51f778f755b
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
f130cec484223c8a539691962d1f9cd065bb45776e25bb34037c64d89be0e9d5
FormBook
+ 4'991 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-mdb9pmgm4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sucxet.com/z8g/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

xz 3d47f9dbde2f5133f7e7ce82aa4ee2cda2c56bdc355e584b680db0380f774e3f

FormBook

Executable exe ea95c0511e50da3a5225f551733b37b0b8f117b42dacd071620984fb550a00c9

(this sample)

  
Dropped by
MD5 1594c851cdea566c9a200ee7fc57797c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3d47f9dbde2f5133f7e7ce82aa4ee2cda2c56bdc355e584b680db0380f774e3f

Comments