MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2b8f048a61ef0fcd4a8d4f54cf1a22cf637883aae8b542f981ead6f043f02ffe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
FormBook
Vendor detections: 4
| SHA256 hash: | 2b8f048a61ef0fcd4a8d4f54cf1a22cf637883aae8b542f981ead6f043f02ffe |
|---|---|
| SHA3-384 hash: | f03897d9f35f634e9c853515be98cb2030cce75c893064408a204928894f6c6ad38708ea706f4269393d00bf3a85dab9 |
| SHA1 hash: | d6c654aa341ad7a047f73bb33a1f3e54662d5c18 |
| MD5 hash: | 8eec63f2af9321157569e1178104611a |
| humanhash: | iowa-two-steak-dakota |
| File name: | Twsukkd.exe |
| Download: | download sample |
| Signature | FormBook |
| File size: | 1'092'610 bytes |
| First seen: | 2020-07-05 07:20:04 UTC |
| Last seen: | 2020-07-05 07:50:27 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 9c21823864d17748e41e461aad6df761 (3 x FormBook, 1 x RemcosRAT) |
| ssdeep | 24576:YwBWwQ4IMud9KLLM1nmViXJ4k4DGyevisgciv:YUQzrTcViXu6Biv |
| Threatray | 5'132 similar samples on MalwareBazaar |
| TLSH | 9A357E52F2914837D5231A789C6FD7786829BE052A78984E37FD3D0C2F76741383A68B |
| Reporter |  abuse_ch |
| Tags: | exe FormBook |
abuse_ch
Malspam distributing FormBook:HELO: mx1.toucamail.com
Sending IP: 91.99.103.189
From: IBCCO-Commercial <supply@ibcco.midhco.com>
Reply-To: IBCCO-Commercial <supply.ibccomidhco@protonmail.ch>
Subject: Fwd: Draft of Proforma Invoice for IBCCO
Attachment: Inquiry.zip (contains "Twsukkd.exe")
Intelligence
File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Threat name:
Win32.Trojan.Graftor
Status:
Malicious
First seen:
2020-07-04 07:56:57 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 5'122 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
persistence spyware
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Checks whether UAC is enabled
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds Run entry to policy start application
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.