MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eefab144fefdb2883084329ab3755717ed6882b348eea18aa611a0a446c39f69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eefab144fefdb2883084329ab3755717ed6882b348eea18aa611a0a446c39f69
SHA3-384 hash: 09725ac7b6608724c2a17e3c6a6ff38418307f73808e372c5eeb6324c1cc59d7a5f37162a691e0d70024dc942d6a5ed5
SHA1 hash: 5362d71f99217538dfab58bbdbd9d5365f122a2b
MD5 hash: 1925a62510f501a5fcaf202f5e99301f
humanhash: table-nevada-echo-saturn
File name:Payment_Advice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:713'728 bytes
First seen:2020-05-28 06:28:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 14a86d600c59a07735f44434c52b41af (10 x AgentTesla, 2 x Loki, 2 x RemcosRAT)
ssdeep 12288:8g8jof+rMCiLTwP+I3cUylgEe5tyZEA83GdaG51MSRvfiEUMnvoSTnUT:WE+r6QP+I3IgEgGEX2t1MSRCE7w
Threatray 2'228 similar samples on MalwareBazaar
TLSH 1BE4AF32E2E04472C163167D9C1B5778992BBE512928AA47EBE7DC4CDE357C138FA183
Reporter abuse_ch
Tags:exe FormBook SCB


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: terminal6.veeblehosting.com
Sending IP: 194.126.175.2
From: Standard Chartered Bank <AdvicesIN@sc.com> <amos@hexatech-my.com>
Subject: ADVICE FROM STANDARD CHARTERED BANK
Attachment: Payment_Advice.zip (contains "Payment_Advice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Artemis3956A314271F.14689.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 01:50:27 UTC
File Type:
PE (Exe)
Extracted files:
294
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
FormBook
06e0e3da562a627b84f328a76d70b62326e2b5a82fd28bf943b6d3dfd1f26cb7
FormBook
0d271903774ae9467d80cad6fcaec4d2ea4653b8eb4c28e0a1c7dbe0849ccd01
FormBook
370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
8d692269e00163075c2d1bdeea0d8fe0ebb06c791233f692fa76e766095ec3ad
FormBook
a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
+ 2'218 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-p3rk17cntj/
Behaviour
Enumerates system info in registry
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.lodipytu.com/tmo/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 64183c54790ec5ece0e49999b0c4267124b473501a4b134771687cd26a3e0617

FormBook

Executable exe eefab144fefdb2883084329ab3755717ed6882b348eea18aa611a0a446c39f69

(this sample)

  
Dropped by
MD5 6586159f90c50af13ea66199b5ee17cd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 64183c54790ec5ece0e49999b0c4267124b473501a4b134771687cd26a3e0617

Comments