MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f130cec484223c8a539691962d1f9cd065bb45776e25bb34037c64d89be0e9d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f130cec484223c8a539691962d1f9cd065bb45776e25bb34037c64d89be0e9d5
SHA3-384 hash: a715eb8790e19c1ee158474278bc4187f73ae3a78ed7b0f715398090cf242f1e8899488812536c3c6b381b60c4dc66ed
SHA1 hash: 92f319109e88d21ffe44fce8b8322ccbbe3bd4a6
MD5 hash: bf744ac1c3ad06ed758bf267cec03632
humanhash: tennessee-romeo-cola-mars
File name:00983989202068_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'392'128 bytes
First seen:2020-05-25 12:16:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:ktb20pkaCqT5TBWgNQ7aqiK1oOWVeBRJgYHrP5HX5esSOB76A:NVg5tQ7aqiK1dWW9HtHAstt5
Threatray 4'401 similar samples on MalwareBazaar
TLSH AC55D01373DD8361C7B25273BA26BB01AEBF782506A5F56B2FD8093DE820161521E773
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: emma.cloudserverhosts.com
Sending IP: 68.171.210.131
From: Eileen Yang <Eileen.yeng@hellmann.com>
Subject: Re: Shipment from China // Docs: BL-No: COSU6257686520
Attachment: 00983989202068.pdf.zip (contains "00983989202068_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-3.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 12:41:44 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
22948624c2febb3129079dfea0d1461ec0649c4f60ab69994876b9a8836a1142
FormBook
29bad4252fa4cda5eea6a5a8587169e1d88d58f9c1fed8c13cf29695995178b6
FormBook
3188ff8a40a461c9e4e386a62daefbe7033034a0c28cfb2b02c20874b7f53b92
FormBook
4f51da0a7034a3b491bf21d56896d2cc97f5f240911abfaeacfe73d80bd84a34
FormBook
60c5b12508b9f3e9f77cd3a6f8e4b9f3cd546bdc97a76c21b0d758712d9ea4c7
FormBook
8d1512de63fd1bf66f80c8ec2ec640464a6ce986101849488372a38fed2bcfb6
FormBook
af076d38fb1a0fe805a6a835aefa72a1eaa827bb0421dcc91bd2e6153469d60d
FormBook
b6b19634b174ec68dacf4a4f936d8ad91e4374737de56f1e3995b51f778f755b
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
ea95c0511e50da3a5225f551733b37b0b8f117b42dacd071620984fb550a00c9
FormBook
+ 4'391 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-vevhrh88vn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.glamotd.com/gm1/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 50710b02dd867301e6bc59a75b775de1b2937a108c7c9e738b75b273a307acb5

FormBook

Executable exe f130cec484223c8a539691962d1f9cd065bb45776e25bb34037c64d89be0e9d5

(this sample)

  
Dropped by
MD5 1da0302cb2ae50605f02f28177c94182
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 50710b02dd867301e6bc59a75b775de1b2937a108c7c9e738b75b273a307acb5

Comments