MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f43b908ae719e97419ad1ce856a7c4a519a5e01fc318725f693153b41aac3fda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f43b908ae719e97419ad1ce856a7c4a519a5e01fc318725f693153b41aac3fda
SHA3-384 hash: 58589f35f881c2df19bb18f54967bd8370efcc6fac8520f1a3cfd77a613c670ed2d615fbde6fde5d7e23b6115c1f4dbd
SHA1 hash: ddedc65a5a63ff3c51dde1311917690fa4dad95e
MD5 hash: 853a22ebcbfe7302e8296e215353982b
humanhash: queen-spaghetti-quebec-vermont
File name:shippingdoc_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'373'696 bytes
First seen:2020-05-25 12:47:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:9tb20pkaCqT5TBWgNQ7aynK1oOWVeBRJGLMOF7i0xtZHs6A:uVg5tQ7aynK1dWWwLppiz5
Threatray 5'354 similar samples on MalwareBazaar
TLSH D355D01373DD8361C7725273BA25BB41BEBF782506B5F56B2FD8093DA820122521EA73
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: fm02.smd.vnn.vn
Sending IP: 14.225.227.10
From: frankylin@mail.coscotw.com.tw <trinien@maxplanning.vn>
Subject: RE:shipping documents M/V”EVER BEFIT
Attachment: shippingdoc_pdf.arj (contains "shippingdoc_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-3.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 14:03:00 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
FormBook
1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298
FormBook
4f51da0a7034a3b491bf21d56896d2cc97f5f240911abfaeacfe73d80bd84a34
FormBook
6fd98f10610827553549cf795c654fde41891da53df2a254f37a645530b809c1
FormBook
720f6f2a125359d8b85eea767c95d0059cb46eba2fc05a53bcfbf73b5bfc8531
FormBook
76bf9fbbf199cdbb2c42d49a7d200e2c9b325fdc1c4ad2de205f40331a017243
FormBook
9465c69c18144431c36b77e4b36534684c7717f1d9970eb522b8aef716dd2458
FormBook
c9f7661a1a814820db663d5a916abd38a6c824429542e8b833c9a4e67974ac80
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
ea95c0511e50da3a5225f551733b37b0b8f117b42dacd071620984fb550a00c9
FormBook
+ 5'344 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-t621p728j2/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.glamotd.com/zgg/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj b456c3665355f35c5076f10f4c84a2e822d6a38b49237087f5d869d23805cc54

FormBook

Executable exe f43b908ae719e97419ad1ce856a7c4a519a5e01fc318725f693153b41aac3fda

(this sample)

  
Dropped by
MD5 d3550c32817db7eb64f694792776a004
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b456c3665355f35c5076f10f4c84a2e822d6a38b49237087f5d869d23805cc54

Comments