MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f34f4e3d8e9c1ec1d066d75d07f3d93c70931d6a54d736dc12f83b8277db2557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f34f4e3d8e9c1ec1d066d75d07f3d93c70931d6a54d736dc12f83b8277db2557
SHA3-384 hash: 047c448d403bd6db73450e81f1242dca11e6defd6f5faaf20bbd6b9be729850e7b69bf403d7ef432cd7e7fb173008601
SHA1 hash: 35a53b0eb0eed93cb14b7d22b1034fb28929d53c
MD5 hash: 826fe6a763bcf2bc7746cb532cce187b
humanhash: alanine-crazy-yellow-mississippi
File name:ORDER_3901.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:311'808 bytes
First seen:2020-06-17 05:39:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'651 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:rHyIUOhSc6eTRI/MVddjzuZOGqOl6nCOhCsKAyb1s7E7JhRLrX:vUxc6eTRL901qOIngOo7HRLr
Threatray 5'230 similar samples on MalwareBazaar
TLSH 1A64E105B6DCC720C1B81B7AD8E7155003B8BFB22A62E31E7AD933AC58577D7690538B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: yuntong-batt.co
Sending IP: 111.90.141.203
From: Gibson roman <G.roman@yuntong-batt.co>
Subject: RE: RE: ORDER
Attachment: ORDER_3901.rar (contains "ORDER_3901.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19038/
Detection(s):
SecuriteInfo.com.FakeAlert.9060.1798.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 05:41:07 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6nhu4pmotqpmdudg25oqp46zhryjghlkktltnxas7a5ye563evlq._file
Verdict:
malicious
Similar samples:
07744b4113024996510fc85a31a43c7362cd78777d6947351ac5cc785bd45bb6
FormBook
0f589bd3c4bfdf1301a52c6b4b9f9202ab61131bb7230f4e91767b28894005b2
FormBook
228f19c1186ef3077b4d7bd5ca03253f4a769ce6af984e1c4b0d40bc46948f7d
FormBook
39ee4970955c00558113be278502d7a8039fbc7fdfbc55e755dfdea14d4193c6
FormBook
49ced6e317fa96af1310ad10e5b71fea0d84e03b42ff0434f11d312ebb62dbcf
FormBook
8620876c548441699597c4d832de70efc7d058313adeab79c317dbbbd9a3af25
FormBook
87b6456b3368ef7dc9b78b73855341c550025285e26c05af3ecd17815737de34
FormBook
8ad15f68fcbdc182e9a092c8fe391a25b89dfa4fd30840ff8c0b644d66e3053e
FormBook
c4f0b3610d084b670fbcd8d5405153b208907ac348a190df4cfa41b1dc4f029c
FormBook
e08fedcdcfc38684de2868ee177397876a60e28f6cbaf54f6eeb31c5280b0901
FormBook
+ 5'220 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200624-rkah89svc6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar de9384dc28357c778aca980bb9d5fa801a6ee2e6e94407b5a41c5e8e63943669

FormBook

Executable exe f34f4e3d8e9c1ec1d066d75d07f3d93c70931d6a54d736dc12f83b8277db2557

(this sample)

  
Dropped by
MD5 62541465e306733f69102cc31a7189fa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 de9384dc28357c778aca980bb9d5fa801a6ee2e6e94407b5a41c5e8e63943669
Cape
Cape
https://www.capesandbox.com/analysis/19038/

Comments