MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebb20ece00b9d35c26bb797dbbbd6df726473e198a53095cb232dc8042c18d7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebb20ece00b9d35c26bb797dbbbd6df726473e198a53095cb232dc8042c18d7e
SHA3-384 hash: 0b8b4cec85aa9b685a4edc28e05fc789a190790f6d6b20b02d1fa285eafa0cd54ed60eaed562198c1928630286c7e4c1
SHA1 hash: c1b71a77289261258d63964f1f6c661229cee80c
MD5 hash: a2d6ec11cb9f5d84ec286e04ffe53e9d
humanhash: pip-angel-skylark-paris
File name:Scan_03062020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:581'632 bytes
First seen:2020-06-03 15:05:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:pgpsPoI+/XQ7cJIAdwpi9Qz48IgK4paGoXSsy70HA4p8s2w6NKGVQIc6vHNst5ka:CpsP9GON8kb
Threatray 5'428 similar samples on MalwareBazaar
TLSH F5C439AD725072EFC857D472DEA82C68EA51387B831F4203902725ADDE6D997CF244F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: relay02.poa.svr4u.net
Sending IP: 180.222.177.75
From: S.Madicke SECK <purchasing@zjlmi.com>
Subject: NEW ORDER BGA-162GH COMMERCIAL
Attachment: Scan_03062020.img (contains "Scan_03062020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 15:36:12 UTC
AV detection:
22 of 48 (45.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5oza5tqaxhjvyjv3pf63xpln64teopqzrjjqsxfsgloiaqwbrv7a._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1dd89cec8476c901750387a54eb0cce63addcb6037d96de9a78fd736531f9390
FormBook
51e2e890ac898a62cb6478414ac1079df55a036da252026d4f5c8f7f09e400b3
FormBook
6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382
FormBook
7c479cfb9c3df15b565e16fc62709d8af849773c5112b53bf4d41f939219d6d8
FormBook
7fab1d558e165d232858902d7774749256fb81c20ded2487bbc3b7b2cd0d1507
FormBook
8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
+ 5'418 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-2av2fxr356/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
rezer0
Formbook
Malware Config
C2 Extraction:
http://www.porcber.com/mq3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d43bab02a2be7426da415dfd98bc5ba8

FormBook

Executable exe ebb20ece00b9d35c26bb797dbbbd6df726473e198a53095cb232dc8042c18d7e

(this sample)

  
Dropped by
MD5 d43bab02a2be7426da415dfd98bc5ba8
  
Delivery method
Distributed via e-mail attachment

Comments