MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455
SHA3-384 hash: 297c67984f699a3c8f8b278542341532510f8345fb5de7d5572fe30fd318fe95f6e33ef9ce7a5c3fb21f64beed0570e3
SHA1 hash: 447a636f575d600744fc55f12b029739805e1f0a
MD5 hash: 45637a205bb723e63316e20c95c517ef
humanhash: washington-rugby-alabama-avocado
File name:Klwlezx.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:897'536 bytes
First seen:2020-06-22 06:32:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 37b27279f1591ef83241637a28869d52 (1 x FormBook, 1 x RemcosRAT)
ssdeep 12288:D6RfvnyZ3tr81qETTOOnDItGl77DJpiR+/fkPY3agtKhm:D6VaP8wETrItGlrDic8Xi3
Threatray 5'345 similar samples on MalwareBazaar
TLSH 82156C52F280C837D0231A784C5FE7706829BE553938998E3BE57D0E6E76782342A75F
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12405/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-06-21 22:13:30 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dklgmktuhjubovxevzpnpi6slhgkljihevatnggbo2mttkkqwrkq._file
Verdict:
malicious
Similar samples:
40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49
FormBook
4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966
FormBook
62129dc8193a75313e61a1feb2146bd798ec2c84b12d99aac6560cdb7ee9e309
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
8fa8f67945e7ad85b3afc20abed666c8c69e9b0e592b9002c5bb78438d093d3e
FormBook
9519395df08cc1e952c5d7bd57b705f105dcbe6a59a09f4ae6163873cd75c9bb
FormBook
a93544715a31933d1ac1584d3a28bc7121872569baa1e3a7ecfed06f2d65031c
FormBook
b113aa45c20fb4a1b058a76068faf201fa21295df5aaf54e32f3034c6944947a
FormBook
c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60
FormBook
dda2e0d9e1057b0dd8c64979c045e2909236d3ba0669f490b077547aa0f75827
FormBook
+ 5'335 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200624-6ymcnkhjwa/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12405/

Comments