MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5
SHA3-384 hash:	3be4974759e6ce9b93da59c968942aa0cd1e732ac704e19a3ced2a4f2f069ed48e37d4a36b14c53b6bcf2dc6d7aec527
SHA1 hash:	1529ab8f997fd8010d2b43d920cd7eec1a18e126
MD5 hash:	818f7516f05f3031b20c0300649e5c01
humanhash:	early-foxtrot-lion-yellow
File name:	USD 87700,000.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	1'123'330 bytes
First seen:	2020-07-13 11:40:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bfece282ee8fe6d99308046cce6d3bd3 (3 x RemcosRAT, 2 x FormBook, 2 x AveMariaRAT)
ssdeep	24576:NEWNeUebPnGhlh40zI+N//y8Q+vMMl8XZf1CDRX1/4LsD+zVxuTB9u:eXVnx3U8ouLsD7Lu
Threatray	5'125 similar samples on MalwareBazaar
TLSH	0035BF32B1A11A76C113093D7D1F53A99A27FE611FAEEB8267F51D0C8D7A1827C38187
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: spock.gnoft.com
Sending IP: 176.9.117.66
From: mahmoud alkassem <ahmed.badawy@wataniasystems.com>
Subject: Re: Odg: Re: Odg: Re: Odg SWIFT USD 87700,000 20200710113303
Attachment: slip copy.zip (contains "USD 87700,000.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25259/

Detection(s):

SecuriteInfo.com.Artemis818F7516F05F.2157.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Launching a process

Creating a file in the %AppData% subdirectories

Launching a service

Creating a file

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Enabling autorun

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2020-07-13 11:42:08 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gw5sdb6ixt4jeftx3q2kji57p4zritexg4bun5h7mfwifixcpc2q._file

Verdict:

malicious

Similar samples:

45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf

609d299d6ea139c7d7e659274e10c9ed230b832caba065d352738a18db41b638

65463a82bb20ec1f2d53e93c9e51538d55fff2844c746afc36e7a1c43cce36e4

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

9392304274014d5807d5a2271486ea5a72143d7a1214ecc1b59b1626dfc3ba64

aa920a28098387bcdcca0c6e2b668a94b49b1ba5ab1129b27da5a42c4f645ca3

c0307fdf9dcf72e69b33cb4327608c3d27bc5a26ce4552a1eae074f2557482dc

d15bb0b2e07a91123300b30b6b7f26774e873a7bbbf677cdfd1a7c9547a1e353

e01b79e0c73e76e98ddca8c03d801e1742eeb3fec251b17162ef899332a12963

ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153

+ 5'115 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/200713-3gg81lbega/

Behaviour

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Script User-Agent

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Adds Run entry to policy start application

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip d3135a8df1547e8ebd4b0bd048f3e4d0e5e6c0fe2f99b90b80f09a17be4cb364

exe 35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5

(this sample)

Dropped by

MD5 f2f49b8cea58408e80b277a20d1f02ff

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/25259/

Dropped by

SHA256 d3135a8df1547e8ebd4b0bd048f3e4d0e5e6c0fe2f99b90b80f09a17be4cb364

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample