MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffaada37aa4934d94b43628a932058196e3e9d5b4375873fa440c8c2bde97326. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ffaada37aa4934d94b43628a932058196e3e9d5b4375873fa440c8c2bde97326
SHA3-384 hash:	8f605f1681ca7dc0c9bbf6aa5c4725a8d87fa5ab840e29d4911f483f246afedada88a6647853e1c6b532221b91aeb48c
SHA1 hash:	a13224665e3131bdd95b132cd38229eb2b54e24f
MD5 hash:	617d35386ee9c542ca093bf4fbd4c8b4
humanhash:	queen-batman-blue-violet
File name:	ofertă de comandă.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	390'144 bytes
First seen:	2020-08-18 19:24:29 UTC
Last seen:	2020-08-18 20:12:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:q1/SP/rOAh2Eg6d9sC27/8OL/2s05AIdjqt75tbF7W2A3VRsFTZZWMZYqBIJVQu9:2SLhhyx7/8OCs8ElbFSXR2NNYzXQu9
Threatray	2'378 similar samples on MalwareBazaar
TLSH	8984F15C7564B2AFC87E8D7BA9540CB083A171B7430BF3428D5395EA9E1DF97CB108A2
Reporter	abuse_ch
Tags:	exe FormBook geo ROU

abuse_ch

Malspam distributing unidentified malware:

HELO: host2.himbimarket.com
Sending IP: 72.52.244.66
From: Avram Violeta <sales@plastics-bavaria.ro>
Subject: Re: Re: nou ofertă de comandă
Attachment: ofertă de comandă.zip (contains "ofertă de comandă.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48044/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.405.16701.13549.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ffaada37aa4934d94b43628a932058196e3e9d5b4375873fa440c8c2bde97326/

Threat name:

ByteCode-MSIL.Trojan.CryptInject

Status:

Malicious

First seen:

2020-08-18 05:45:46 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=76vnun5kje2nss2dmkfjgicydfxd5hk3in2yop5eidemfppjomta._file

Verdict:

malicious

Similar samples:

1bfdb7e4f0aadba330b6017c2608570e791bfddff789d128ecb5ca9a5a06e6fe

263573ece93d13d69ed99ea6be5715ca5b15e1877ed09a274ca9cf55f4d16a22

381f02195474516491ab7964f7c266d5b8dfb99e0b84b359bba583ba6fd8ff88

673aa6ede02270b33f4a7058ec4e31eabd688ca4c75037ed4a7f92470a42a271

7cc4e45a2448e81c638cf0a84c269d7d926135647f95d318279429587d462e9a

8ae81522b85b942557d654bd85f719d2a8b539106e787c451f0d2856effc6ca4

9f20023fc4c5c192804b85d3d206b9b78cbce88746d8611a69d27f40228d1f0a

af27bd7180ad756460e32f2ae56db7cbdc8a79e73a36b261a96f803e5b051fd5

b502f774e9192f77aa713347f2747b67df5a473be721226bf0b2d98bdff8a835

c9522b2123a5c1d678125fecafc722f82d46c099f6c1cbcca6b95c2911130927

+ 2'368 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat persistence spyware trojan stealer family:formbook

Link:

https://tria.ge/reports/200818-mlxel343an/

Behaviour

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.fex-tracks.com/kvsz/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ffaada37aa4934d94b43628a932058196e3e9d5b4375873fa440c8c2bde97326

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 16ab316c9c7addcb3b3ba1c0c73d3a64d1cd3a3e45241c45a80a6ade10c63629

exe ffaada37aa4934d94b43628a932058196e3e9d5b4375873fa440c8c2bde97326

(this sample)

Dropped by

MD5 d6c5a453883a35c9775ec22c535c8031

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 16ab316c9c7addcb3b3ba1c0c73d3a64d1cd3a3e45241c45a80a6ade10c63629

Cape

Cape

https://www.capesandbox.com/analysis/48044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample