MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fec5ae0ee4950c22aa3278fbea92faf21abc081160d32ab3047d03c6409f8829. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fec5ae0ee4950c22aa3278fbea92faf21abc081160d32ab3047d03c6409f8829
SHA3-384 hash: 19c668b2aa9e15676832cae9f8bd317d646d15da9d4b6aa029f44488e21c529e1e745ef5d4c908602163832590190570
SHA1 hash: e5b3d8f68a5bcca610661b2e3c2276c9e260f948
MD5 hash: 52f40e38350510d0101f33526d6fb0a6
humanhash: shade-johnny-muppet-seven
File name:Stripe.bat
Download: download sample
Signature FormBook
Create hunting rule
File size:396'800 bytes
First seen:2020-05-26 09:43:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:IYecM3Dmk482dnIzJ6GSjHyrf84urChex:CFT482I9
Threatray 5'104 similar samples on MalwareBazaar
TLSH B1848C9C3290B6DFC867C976DD941C64EA61B47B430BD743A41322ACAA0DA9BCF115F3
Reporter abuse_ch
Tags:bat FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.haihongsolutions.com
Sending IP: 162.241.215.134
From: Muhammad Mehroz Senior Accountant Payable <info@dawood.com>
Reply-To: muhammad.mehroz@outlook.com
Subject: RE: OUTSTANDING PAYMENT(EXP-008) FOR 26 MAY 2020
Attachment: wire swift 126,400.iso (contains "Stripe.bat")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBA.25899.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 11:21:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 30 (83.33%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
263462d86535967bddee75eed15d3e069942b2bc839102bc5afd4b4ea69ab9bf
FormBook
49fd1fd4167dc08352e383bd51337af9206603336040aadacc85fe5a9226ce6e
FormBook
4b4c8b74b632893033dfa8d4099db76155f6941ab5a63ba7c5a680168ad73b1b
FormBook
57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664
FormBook
6a8ab618570b51a54198fee312e9cb6a3e2e1159ca5834994b589c9f160a69af
FormBook
c56c8ea787e000ad095d2d1bc0e0a651e1571d3f784e09f7f6c86fa8771efddf
FormBook
d18ed67b05d0bbd6dfaba77a6053c92674bfef8abc8c7aae7c17f703adc6ea5c
FormBook
ea0bcb9c44a356945727a78ca03b727f5ce4dd69accb51dc7fee5918477133be
FormBook
f0a859474803c2ba7687f71bdc33ed9296ef1a18920d6c3fb425fc30ae266826
FormBook
+ 5'094 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook coreentity rat rezer0 spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-rgs7dqhsra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
rezer0
CoreEntity .NET Packer
Formbook
Malware Config
C2 Extraction:
http://www.regulars6.com/ze01/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar aff26754ef23f25c764d89c075e57536fc01b17cf6cde627dbf892783723d5fb

FormBook

Executable exe fec5ae0ee4950c22aa3278fbea92faf21abc081160d32ab3047d03c6409f8829

(this sample)

  
Dropped by
MD5 00d120938f03c49aa2a87ce02570dc2a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 aff26754ef23f25c764d89c075e57536fc01b17cf6cde627dbf892783723d5fb

Comments