MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4c535616a04819e9553cb3dbac66db0021065fb89a5e5c799c0b4eb301fb582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	f4c535616a04819e9553cb3dbac66db0021065fb89a5e5c799c0b4eb301fb582
SHA3-384 hash:	42f71c8d78fed3ef8da5ec5b98e7718c8a774902f93d61c3a83a608c42e5947d0ba476aa4652fbb415d01cb723db47c8
SHA1 hash:	5284c7308994dbe3348c320499c3756aeae50f1d
MD5 hash:	39c13f82ae8a3803684959e14772c5b0
humanhash:	berlin-monkey-mango-california
File name:	PI Confirmation.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	685'568 bytes
First seen:	2020-07-14 06:01:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:CkEDYg9Ajl7NvOgmro7h/W36ASlsBOnVax8Vzkp40UyKn0Fn3N6or+hhATuW9Avl:CxCOgm01Y6NgAVJkpzUyHFn9vqAt1oEi
Threatray	3'451 similar samples on MalwareBazaar
TLSH	90E4F9B1C4891471DCB90734D63A1D7E0177BCA156B1EA7FA02933BB2973A60582DCBE
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: truegreen-cn.cam
Sending IP: 111.90.140.74
From: Omar Hussain <omar-hussain@truegreen-cn.cam>
Subject: RE: Re:RE: RFL250080 CONFIRMATION.
Attachment: PI Confirmation.rar (contains "PI Confirmation.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

117

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25590/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Launching cmd.exe command interpreter

Reading critical registry keys

Setting browser functions hooks

Possible injection to a system process

Enabling autorun with Startup directory

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/f4c535616a04819e9553cb3dbac66db0021065fb89a5e5c799c0b4eb301fb582/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-14 06:03:04 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6tctkylkasaz5fktzm63vrtnwabbazp3rgs6lr4zyc2owma7wwba._file

Verdict:

malicious

Similar samples:

258970d034e0216fb43795b398996dad9542e23894dd3c31a886402b5ab6d438

5467d4952a438b7025b7e6661bbc5755b94db5553e4534d2924dd60a9051efba

7029f74bfaf5637a25dad61b7a7462141833886ac9637790d0fdaf7e72d84a3f

7fb6e9a788b18806469167cf64458dd590122593a04489cf70bb70434905a246

89bd1e9ef11da85ed00a7768ea07f1af0400b70505603ee202178516ef511dc6

a2d04087127197f6a4ae49039fbc2c2dc750ee0fe2d71965a7c675d556d362d3

abb96fbc3e4b80337204e33d19134498c7eca75ba47390fe4df7939383515e6d

afc658f07e5da5c8071754e973e37fb7712e1f13a5a23a6baf440cd35e60fd76

b874161b258cda3cab7439d074f5d2560532076b46a91ca19c6cb5893828d030

e4031bfc8a9e6268a0c5c85697424583fcf998bc75728a3b9b2f779879f167a4

+ 3'441 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200714-rxe47ap612/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar cfd85f7690b503154bad4aed263e953b0b5da84cd8dc8eaa0b99302be53f36d9

exe f4c535616a04819e9553cb3dbac66db0021065fb89a5e5c799c0b4eb301fb582

(this sample)

Dropped by

MD5 0c21dacbb9b71985dfb7c8b81c631141

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/25590/

Dropped by

SHA256 cfd85f7690b503154bad4aed263e953b0b5da84cd8dc8eaa0b99302be53f36d9

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample