MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e
SHA3-384 hash: 5f786424bcf6a63fdb5de6276b0ddefa80f705446d51a677217634852462a15e1fdcc5c24a61441e9f5411ceb222b31d
SHA1 hash: 1c487bae47d8f81ab5b2f851ace41b3520e0e77e
MD5 hash: e4df03f1fc29eb4fc32a0801b26ce6ed
humanhash: north-oklahoma-mirror-comet
File name:2nd PO389733.exe
Download: download sample
Signature FormBook
File size:359'936 bytes
First seen:2020-06-30 13:32:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:IlcRkLx5GlHfiV7fZKB6zYF13oWzp+JCq+lqFfdyxgXtQ/PHa/izoTs:AcRkd5Gl/47fZwWEOOp+JrwqBdyYtQ/x
TLSH 5A74D038321F6933CE6801F64583A60413B85DA53492F3D6EDCE30D916F6BEE9701A6B
Reporter @abuse_ch
Tags:exe FormBook


Twitter
@abuse_ch
Malspam distributing FormBook:

HELO: lucky1.263xmail.com
Sending IP: 211.157.147.134
From: Leona <admin@yingshitech.com>
Subject: Re:Urgent Order
Attachment: PO389732.zip (contains "2nd PO389733.exe")

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 42
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17228/
ClamAV SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
CERT.PL MWDB Detection:formbook
Link: https://mwdb.cert.pl/sample/ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 13:34:07 UTC
AV detection:22 of 31 (70.97%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   7/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-jjf9hn2yws/
Tags:n/a
VirusTotal:Virustotal results 30.56%

Yara Signatures


Rule name:Formbook
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Author:Slavo Greminger, SWITCH-CERT

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments