MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2460c3a92796b5c40abef5471ee446623489b3c1bfb70f1015ab74961d477561. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2460c3a92796b5c40abef5471ee446623489b3c1bfb70f1015ab74961d477561
SHA3-384 hash: 86987fb3813b904e15c03bb308181d53931f8d1723be30eeea86e365a5f1de9cc5880d25a93622b41701d856e4b3bf9e
SHA1 hash: 14a3b22deb01b58db15e385e3d39cc832893b1fd
MD5 hash: bc95d7148f851a8f1c5ac9b9f044c09c
humanhash: video-table-table-batman
File name:detials 2.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:696'320 bytes
First seen:2020-07-01 06:43:22 UTC
Last seen:2020-07-01 07:58:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3dbf6c2cd2886e109ef90dcce86638b7 (5 x FormBook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:Ee7+LHvP79bjBoxHyzKXAzgqGD4+dCIJuxd6Ur5IScz5ISF+gAuA1KzqrRUyqqjt:bq779bjBoAzKXAPC4VYX/ebP2kcjc
Threatray 5'167 similar samples on MalwareBazaar
TLSH 62E4CF21B3D0953BDD5B1BB48C0F6AA86C267DA02E99584F3AF80CCE6B7D361342D153
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hm1831-t-5.locaweb.com.br
Sending IP: 191.252.28.5
From: SapoiBest <info@sapoibest.com>
Subject: purchase enquiry
Attachment: details 2.img (contains "detials 2.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17595/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2460c3a92796b5c40abef5471ee446623489b3c1bfb70f1015ab74961d477561/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 01:19:21 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=erqmhkjhs224icv66vdr5zcgmi2itm6bx63q6eavvn2jmhkhovqq._file
Verdict:
malicious
Similar samples:
0098bf2ef8230d9bb30b451868272ffb271fe63a8c248bfc9ce569991c19f279
FormBook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
FormBook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
FormBook
5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff
FormBook
5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8
FormBook
5e76ddd6dfa4215c3dbd7269318d15a5e5fae698e65600df0aa3f16639d8fc44
FormBook
5f6ecbe9757644eb46ceaef0b9e8354e63bab83b29bf47f4812c84beb08acb4f
FormBook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
FormBook
a405c8cf0c233bddd6849726247d1426589e3a709e0a0378be86d93868fac48c
FormBook
a75706020d8d39c3ad03dafeb71baf8e555cbc0223f656aa9335420264a9773e
FormBook
+ 5'157 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200701-bvm6rc2h3e/
Behaviour
System policy modification
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run entry to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 75b4ec4891e9aaf584714f4c6d27fa1af2a6b57cf721cc141900f2af7cb03e14

FormBook

Executable exe 2460c3a92796b5c40abef5471ee446623489b3c1bfb70f1015ab74961d477561

(this sample)

  
Dropped by
MD5 2cdae2cd896bfe943d9659438daef543
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17595/
  
Dropped by
SHA256 75b4ec4891e9aaf584714f4c6d27fa1af2a6b57cf721cc141900f2af7cb03e14

Comments