MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
SHA3-384 hash:	8f43a13a0d588f9f6deaf9bb9dab78f5b3fe5df79dd0721dc6ea726d9d189f574276d04216ababe160d5c0f91d13d0f5
SHA1 hash:	37c19b86622d1a9725a87c288af816aadda575a2
MD5 hash:	94c591351a9f0c0e8c61ee32b1e4bed8
humanhash:	hawaii-whiskey-carolina-failed
File name:	List of our purchase order.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	1'135'104 bytes
First seen:	2020-06-23 05:57:52 UTC
Last seen:	2020-06-23 07:54:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8299f715d855d2a6068b551514417b5d (2 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep	12288:djDbd29xj+02YMHFpC0cjKdOaQKj7sHkp1OcM+u4n+rpRz6gh:dfR29002pHFpC0cjKdjQKsEnOdL4gz
Threatray	5'365 similar samples on MalwareBazaar
TLSH	45357C22F380C837D0631B758C5FD7A86826BE546E28984B3AE93F0D5FB5351353A297
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: aquila.tvas.ro
Sending IP: 195.225.140.6
From: sales@aktio.co.th
Subject: Re: Re: Re: Re: Re: Re: Order
Attachment: List of our purchase order.zip (contains "List of our purchase order.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/12814/

Detection(s):

SecuriteInfo.com.BScope.Trojan.Downloader.18485.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2020-06-23 00:26:37 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=af7ugosjv7ghmxc2lz7ttxtckh56g7m4td35q3y2xtx3dkpvlg6a._file

Verdict:

malicious

Similar samples:

01563eeff9cd4cb84253c2c9bc40762d118780ab89c6c7b82ce9c9cf0a56a818

61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb

86d0178097eebb5010e24650ce79f80f19567ad2872f0f0b7325761a01cf67f5

8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e

91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72

a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044

be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f

c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde

da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313

e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c

+ 5'355 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware evasion trojan

Link:

https://tria.ge/reports/200624-h8ft798vee/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Reads user/profile data of web browsers

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

3c69cb71711cfa70e1d522f80cf80486

exe 017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc

(this sample)

Dropped by

MD5 3c69cb71711cfa70e1d522f80cf80486

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/12814/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample