MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 336024c1299d7903a83d3dc3f1575349d747c883fcfd29d014931c3887101c45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	336024c1299d7903a83d3dc3f1575349d747c883fcfd29d014931c3887101c45
SHA3-384 hash:	d2d98383136e1588fecba1a6ca452ce50926d3a0af8ff642af33ede6ad939c48cba6de3413c943aebe9846054f70cde7
SHA1 hash:	42272a41052942331ee7c8409c008cc63aacd14a
MD5 hash:	14e3a0848d049b549462fe90f204e0a2
humanhash:	leopard-sweet-cat-july
File name:	MV EVER DIADEM YOY 149E_pdf.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	957'952 bytes
First seen:	2020-07-13 00:02:42 UTC
Last seen:	2020-07-13 01:36:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dada6f26441f1a1d2f2cf25a83bd8107 (16 x AgentTesla, 6 x MassLogger, 3 x FormBook)
ssdeep	24576:cM092htZ8qtYs5T287WqASEnMMNJg7UtIGY/2j:cLrqtYRtnMMN2m3vj
Threatray	5'130 similar samples on MalwareBazaar
TLSH	2415AE22F2D18432C1732A3C9D5B9764AD26FE007E28AD476BF95C8C5F3968178352E7
Reporter	jarumlus
Tags:	FormBook

Intelligence

File Origin

# of uploads :

4

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/24924/

Detection(s):

SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

DNS request

Setting browser functions hooks

Possible injection to a system process

Forced shutdown of a system process

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/336024c1299d7903a83d3dc3f1575349d747c883fcfd29d014931c3887101c45/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-12 23:01:26 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gnqcjqjjtv4qhkb5hxb7cv2tjhlupsed7t6stuausmodrbyqdrcq._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

3188ff8a40a461c9e4e386a62daefbe7033034a0c28cfb2b02c20874b7f53b92

3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b

5845f8c6a360994b9315ad2e8abbb041a55f4653b6dfc704730202e8c8caf692

6858f384401b1ef40dd4515a1604fdf9bb7e0d5caf85d8798c89604d830227e6

9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264

c7949573443efdf9faf7bdd96422dd515bc3576d8fce3091776333047524d1a2

d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba

da3df2183f6a67da735b65864f2a91df95c96efe5526842821655449f94d2717

e09725931c810fdc4e6c957dc80267e520c513813498078bbd646e5874e34ab2

e99c6ae5a08e119d151f0c28b6b164d98ca6fd24d1d91b6f57bdf40f3d688c91

+ 5'120 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

spyware trojan stealer family:formbook persistence

Link:

https://tria.ge/reports/200713-hp322nmb8s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Drops file in Program Files directory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Adds Run entry to start application

Checks whether UAC is enabled

Deletes itself

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Adds Run entry to policy start application

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

arj be77880bf5a723df321101c48814b29236a40796e13d3b7756666426da788081

exe 336024c1299d7903a83d3dc3f1575349d747c883fcfd29d014931c3887101c45

(this sample)

Dropped by

MD5 fd1d3f1b5e8aea7e71984ee9134357a7

Dropped by

SHA256 be77880bf5a723df321101c48814b29236a40796e13d3b7756666426da788081

Dropped by

FormBook

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/24924/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample