MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec8d87e7db1c4f69358cdd9de92c9f8d4077dc7b61b4ccb834bf2fe129279289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec8d87e7db1c4f69358cdd9de92c9f8d4077dc7b61b4ccb834bf2fe129279289
SHA3-384 hash: 3a549c57349deb452cfe6badba062491bbc8f8b745af93130ab280a6fab37929654951316d979c36eee5de8bb1054182
SHA1 hash: 6ec5f57a41bff9255e62822f720c089cb372f422
MD5 hash: dc81e74a59940379870c59aff72f1540
humanhash: timing-cup-delaware-friend
File name:8903-Dco2.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:570'880 bytes
First seen:2020-06-12 06:52:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:CjThaaILoeLQcm1g6gMlBNYSi8H1dx8Y/wTnmmHTBmrvmjQYC2gc/qviOn:CjTILoFcGJNfdx82wzmKYz2z6
Threatray 60 similar samples on MalwareBazaar
TLSH 07C428B3D31CC9E1CDA512F4521E8EA70A507F5FA0D5A2D91DEDB1BBCB39225E1D0882
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: sonic301-30.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.184.199
From: abdul rehman memon <seyani_1234@yahoo.com>
Subject: FW: Payment Transfer
Attachment: 8903-Dco2.rar (contains "8903-Dco2.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9126/
Detection(s):
SecuriteInfo.com.Variant.Ursu.887367.20719.1361.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 06:54:18 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5sgypz63drhwsnmm3wo6sle7rvahpxd3mg2mzobux4x6ckjhskeq._file
Verdict:
malicious
Similar samples:
0fca6f4fa44279707d8baca71d47f79687c62f528d0e872dc27c393e15567904
FormBook
15c86f03a9ef0aa9720a510fd21972a675d15c40ad3efbf52ff2e5cc9bb86c57
FormBook
58691961ce7be790966ab5f9b3e9e9740af77b78a36209c8bcd6c229bb1563bf
FormBook
5b775ccff09e5e183a237343bbc0b6057af38838c0781d7927ac5aa686d2e56b
FormBook
7c3289cdc59a8cf32feac66069d09c48a930d4665f740968521adaf870172644
FormBook
7fab681c57b3f8918c974e5a436b72f9a963ae8b4d4ab5592ceb17cdb57f14f9
FormBook
8b821e88c568d00613f802e79eda4c77913a09c7760dcfdd80e8886b0a8bd8f1
FormBook
9e1eb0470f3d916a2f5d92b6cd45bb504284c2e53f26d443a5c54ad1252c4d1d
FormBook
e0df0fba55e01353a9b0adf985e2cc625ba6741d0375e872ea012f99e5dc1f1b
FormBook
ffd1bee2a8fd62e3d445c7ceecebe9f615edcfaae2c4743e765e89a1570b51ad
FormBook
+ 50 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-be99v6pt9n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.hearxy.com/s5l/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar f01d9428ebec1c1c5fc1ef52f0d063333f2435ecdd1345eab5719bfae97ed896

FormBook

Executable exe ec8d87e7db1c4f69358cdd9de92c9f8d4077dc7b61b4ccb834bf2fe129279289

(this sample)

  
Dropped by
MD5 9168b69ce49f05e2d0b091e170a3ce54
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f01d9428ebec1c1c5fc1ef52f0d063333f2435ecdd1345eab5719bfae97ed896
Cape
Cape
https://www.capesandbox.com/analysis/9126/

Comments