MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f46ea866a034694bb34ddd4207ae960a5e43390ca9f9ad58daf4d14c42dbbc79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f46ea866a034694bb34ddd4207ae960a5e43390ca9f9ad58daf4d14c42dbbc79
SHA3-384 hash: 0b10dfefc3627a9436b982202ef1365df4f25f088612fa06d22a974ce6c26636bbd8b5998c1a141f62e87cfce0f41fcd
SHA1 hash: 4851e376a74b5bde939ddefc4b6ce1a520a431ea
MD5 hash: d638058854e4c346a0d7479951e2dbd3
humanhash: twelve-glucose-mississippi-violet
File name:V-12585.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:415'744 bytes
First seen:2020-05-21 10:15:55 UTC
Last seen:2020-05-21 11:15:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7uY6xv5nS6Hg1Z05UgO1+1Xwbd0O4vuzU:7RchnS6A1m5e+Rkb4vkU
Threatray 5'244 similar samples on MalwareBazaar
TLSH 3494122073F87B45E2B95BF42530B0A067BA7B1B5972C24C0E45A1CE6A33B42D7D1B63
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: yisun.co
Sending IP: 111.90.159.196
From: Zhaohui Liu <liu@yisun.co>
Subject: AW: YANCHENG- ORDER GOOCE
Attachment: V-12585.rar (contains "V-12585.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.49161.14231.18191.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 11:20:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 30 (80.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rxkqzvagruuxm2n3vbapluwbjpegoimvh422wg26tiuyqw3xr4q._file
Verdict:
malicious
Similar samples:
2d15cd4ea7c6a5ff5f7f47acfedf52c6cb081a5791f8aa03a9a88636b58550ca
FormBook
49fd1fd4167dc08352e383bd51337af9206603336040aadacc85fe5a9226ce6e
FormBook
4e68480fbf23cd8b7efedd98614f1cd26032b955b4fc721e6622c62e4bb9f447
FormBook
6c7d10402361556d564ce74e16a05024a4e0ad31da03b98fb69d4f7c0079730f
FormBook
b26b6fd030ce29451797859444a1bd9e0a717b06a2909406e68edf183887632e
FormBook
ba988eeaeef4b7e706308c40094dd0fe2146918e0386565cc2a14243e3f0aa69
FormBook
d18ed67b05d0bbd6dfaba77a6053c92674bfef8abc8c7aae7c17f703adc6ea5c
FormBook
d19a1337bd1fd3534eabbbdf6db6e402de9c2996edf3b4bae1bb10e85d7b5bde
FormBook
d4943254bdebb92508362f26bd91da77d2aaecbcd73f086b917055c704a993a5
FormBook
f0a859474803c2ba7687f71bdc33ed9296ef1a18920d6c3fb425fc30ae266826
FormBook
+ 5'234 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-q41a9jr1bx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
CoreCCC Packer
Formbook
Malware Config
C2 Extraction:
http://www.regulars5.com/mz20/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 4428aebb9dac740e189fdb37a1f3dab38f9fea43a7de8370d2b17921477c7b80

FormBook

Executable exe f46ea866a034694bb34ddd4207ae960a5e43390ca9f9ad58daf4d14c42dbbc79

(this sample)

  
Dropped by
MD5 b2fcc22977e87562353fc760504e2303
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4428aebb9dac740e189fdb37a1f3dab38f9fea43a7de8370d2b17921477c7b80

Comments