MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f310aa4f6cb0b3c3d237d13640594dd0a06f8c42ab5ecd1cba3daecc860129bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f310aa4f6cb0b3c3d237d13640594dd0a06f8c42ab5ecd1cba3daecc860129bf
SHA3-384 hash: 93c598ccd46e26c14885ba89d192f8ccd9cddd749112bce5769ef7211118ba9573db2e40cdda78a30a7accda1652813a
SHA1 hash: 56a40e486e6c3a7d7fa458293f39a5d339f89202
MD5 hash: 93de480dde266435aaac2a9c0ff59c1e
humanhash: oxygen-massachusetts-charlie-white
File name:RFQ-PO04635AZ323.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:472'064 bytes
First seen:2020-06-16 05:08:07 UTC
Last seen:2020-06-16 06:12:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:5A5FwjsUzScWWs1rvENMNGZw7CdxTXi2krZpDlK4s:5A5ajsyKrvENo8dxTXiLp04
Threatray 5'239 similar samples on MalwareBazaar
TLSH 4AA4AE06ABBADE33C7F435FF409034141EAC5EA11DA2F64A3988B159FDB3B92C941593
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: thaimartin.co
Sending IP: 111.90.145.52
From: Dong Hee Han <pearldenthandonghee@gmail.com>
Reply-To: patbonnantakui@gmail.com
Subject: RE: RFQ-PO04635AZ323
Attachment: RFQ-PO04635AZ323.rar (contains "RFQ-PO04635AZ323.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10546/
Detection(s):
SecuriteInfo.com.Variant.Ursu.907060.21945.3098.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 05:10:09 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mikut3mwcz4hurx2e3eawkn2cqg7dccvnpm2hf2hwxmzbqbfg7q._file
Verdict:
malicious
Similar samples:
091fa5c2da8704e463202cad1bdd4f766ca66c28b3f60348c03288c4d4c3ce32
FormBook
18f5f4aa9b67c87202ed2456159ff033577a00bd227dc7b713de074f262d9897
FormBook
19833770b128f098f86b4d9daaedef96f8de222745a7e431999545c9c03bfb29
FormBook
20df636881ac1b90a09339824066c137458264e85ac4ce4767a5841a574a9dcc
FormBook
310ce684bde85380d1c908579135f3ea6ff6f69c8475fad63a232020beaebd65
FormBook
51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6
FormBook
64ff498497ee75879455fa623913eed07fae30f5e357bb247bedcf76e7d4e04f
FormBook
915317c4721161535e8ab7d081baa128d6678c50ff2135571965cf40b7167fb5
FormBook
9ba436351aa2ed6aa1c478d716b2b5e2dd6b6141c14aa8ded5089ed6951b9426
FormBook
a4906242ed8ef857d5fe0dd5b8e3f1f90baa1bdf6f1030ba09af4a2b8892e08b
FormBook
+ 5'229 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-a27vpwm5js/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nimtax.com/ut/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar b68166aaada3fe461c3529364e3e8c66c28377617e591f0ecaa240d3cfd4eb97

FormBook

Executable exe f310aa4f6cb0b3c3d237d13640594dd0a06f8c42ab5ecd1cba3daecc860129bf

(this sample)

  
Dropped by
MD5 e218c2419cc41d137d4936168be26bae
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b68166aaada3fe461c3529364e3e8c66c28377617e591f0ecaa240d3cfd4eb97
Cape
Cape
https://www.capesandbox.com/analysis/10546/

Comments