MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03cba0b3813108ec932306f5aaa9d152603a834b9caf3c601722a9cda41ca194. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	03cba0b3813108ec932306f5aaa9d152603a834b9caf3c601722a9cda41ca194
SHA3-384 hash:	0aa9085a55906118c3905d9b4dc0505feb3f05beb2e38f150d1b42d9abea53d2b231fa846b20f79f38abdd231780e6c8
SHA1 hash:	810a1c7f3559d5e6227022ee37438ea2c382be4d
MD5 hash:	126510513ad09e362d53547080fb3586
humanhash:	mobile-seventeen-yellow-tennis
File name:	Picture3.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	985'600 bytes
First seen:	2020-06-28 07:33:41 UTC
Last seen:	2020-06-28 08:44:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	36c59039a5d2277d95faf77e2b67cda1 (3 x FormBook)
ssdeep	24576:+CcVhdV/AQxyzse6pqGWDO9xaAKWauiVre493eH:4DhqW/P4xI
Threatray	5'280 similar samples on MalwareBazaar
TLSH	C225A162F3414937D5331B7C4C2B63985926BE112E2C58466FF89E4C6F3A7417C2A2E7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: slot0.oakwoodas.com
Sending IP: 45.95.169.32
From: Nicole Gapes<info@oakwoodas.com>
Reply-To: gapes.nicole@yahoo.com
Subject: Property Purchase & Leasing
Attachment: Picture3.img (contains "Picture3.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

88

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/15157/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03cba0b3813108ec932306f5aaa9d152603a834b9caf3c601722a9cda41ca194/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-06-28 07:35:06 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=apf2bm4bgeeozezda322vkorkjqdva2ltsxtyyaxeku43ja4ugka._file

Verdict:

malicious

Similar samples:

0211865d58af36be2009eb29a77a400355a4cb7b8542d6359a6fa304c3f7d935

0df0a487b38b5d9bdbc8e2c05ba4c639dfe09969f5f68c85da43b46c16a48f6b

0e7ec69a6222b2753c0167997838b380acfd47834a6d1e7dd2475fd4fe07d63c

18dc7ad4fd5ffd0ec8b8f12884b41f3ace4e2ba95f704175ebf0a0eead74ba36

1f6b6d481b672f8ed428a044ebffa9e16424317c0081aad3c00cb61a547b90b5

27d591d9f4f1c5c4f3f6ae8f975b1a0ed7d2ffb5277348e59cd32ef5c57e6168

560c76df97fdc5816fa9310921082a04b44b781e60bc77f84b970df04a36d1f4

6715e87f7070a2d7b5b2c71e98a7bade689a504aed3b95654af3494248a501d4

cac635b83d0ee884f8d8bbce419b4c9d13273f4a10c450c2ea50830dc683e3ac

ea12fb909266d6a6f7315c8ffe0fcedb6b63ba660cd91e7c2ac4e6db14596171

+ 5'270 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware evasion trojan

Link:

https://tria.ge/reports/200628-yphgc2lp4e/

Behaviour

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run entry to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Reads user/profile data of web browsers

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img ef0276d29c0cfa16ddc1f8b615722b00c2306663cdc13c2fc8bdf54a5f353edb

exe 03cba0b3813108ec932306f5aaa9d152603a834b9caf3c601722a9cda41ca194

(this sample)

Dropped by

MD5 15d02a40a1e54c8e04e32553478649f0

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/15157/

Dropped by

SHA256 ef0276d29c0cfa16ddc1f8b615722b00c2306663cdc13c2fc8bdf54a5f353edb

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample