MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c7ef54cf3d06546c5201243fd32d91fb4bf4dbc646956c0b0c5e22ddbfbe113. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c7ef54cf3d06546c5201243fd32d91fb4bf4dbc646956c0b0c5e22ddbfbe113
SHA3-384 hash: e133649687ac3d6750665a79130c42ccf2a235328eb72dd6464ad4fcc5af4dcc0c1eb50a840051acf6446fb4df5b7c70
SHA1 hash: 1325aaa6108cc862125b44c2b9cdbcc570823c85
MD5 hash: f8bb966437bca0a48019d89b74da4fd4
humanhash: xray-rugby-idaho-item
File name:Ikxwsgg.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:997'890 bytes
First seen:2020-07-20 09:34:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a53a72dea4f25a6a6c0f0fbab7e5ef2 (2 x Formbook, 2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 24576:NgtGHnojbusr80kwyjUcszLuVU0dEuXXJ+CYGz3iXc8kWSmnaZK:NggH4Ye4UcszLuVU0dEgXJ+CYGzKRS83
Threatray 5'135 similar samples on MalwareBazaar
TLSH 4825AD23AF8D8432C2A2653C9D4BD6FE5431BC557A18C857A7E83C3CDE3A395342A197
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ns1.prosemvds.com
Sending IP: 89.107.226.195
From: info@celikeltarim.com
Subject: Re: Re: Re: yeni sipariş
Attachment: yeni sipariÅŸ.zip (contains "Ikxwsgg.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28886/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391252
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248003 Sample: Ikxwsgg.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FormBook 2->44 46 3 other signatures 2->46 8 Ikxwsgg.exe 2->8         started        process3 dnsIp4 32 cdn.discordapp.com 162.159.134.233, 443, 49715 CLOUDFLARENETUS United States 8->32 56 Writes to foreign memory regions 8->56 58 Allocates memory in foreign processes 8->58 60 Creates a thread in another existing process (thread injection) 8->60 62 Injects a PE file into a foreign processes 8->62 12 ieinstal.exe 8->12         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 12->64 66 Maps a DLL or memory area into another process 12->66 68 Sample uses process hollowing technique 12->68 70 Queues an APC in another process (thread injection) 12->70 15 explorer.exe 3 12->15 injected process8 dnsIp9 34 www.prestigepropertiesintlllc.net 15->34 36 www.offertruck11.com 15->36 38 www.jianghundk.com 15->38 18 rundll32.exe 1 18 15->18         started        22 ieinstal.exe 15->22         started        24 ieinstal.exe 15->24         started        process10 file11 26 C:\Users\user\AppData\...\4P-logrv.ini, data 18->26 dropped 28 C:\Users\user\AppData\...\4P-logri.ini, data 18->28 dropped 30 C:\Users\user\AppData\...\4P-logrf.ini, data 18->30 dropped 48 Detected FormBook malware 18->48 50 Tries to steal Mail credentials (via file access) 18->50 52 Creates autostart registry keys with suspicious names 18->52 54 4 other signatures 18->54 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c7ef54cf3d06546c5201243fd32d91fb4bf4dbc646956c0b0c5e22ddbfbe113/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 08:05:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hr7pktht2bsunrjacjb72mwzd62l6tn4mruvnqfqyxrc3w734ejq._file
Verdict:
malicious
Similar samples:
11c42a22bd49e9f723718ff607d073bfd3d47afd70ce7152b7329bff2013366c
Formbook
35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5
Formbook
58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a
Formbook
6afac1117b8398317f5eb5f8c66ce52c0fcf2e438a0d40743a584eedd17ac260
Formbook
7d76b11ffd54f1f7f61dae2d07689f986a40a6bcf79e2606610f77a5c7bb20de
Formbook
7f9c9b969cacb0ea5d679baff92d33438a27ecb67786022aa03f9f43a4ce56f4
Formbook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
Formbook
a678db2b0d3f84a7edaa2c100192a43397a7be3d2c482b34d7bdaf1572f00720
Formbook
ab4583eefcd41b355fe38fcabdfe18450722b162f7b9e8e9ba346040355f4126
Formbook
e98e20e7f6ca6411a6da4193276bd5e1a58602f761f2d3b33281e88dd411d9c7
Formbook
+ 5'125 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200720-jfq6xv82jj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds policy Run key to start application
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c7ef54cf3d06546c5201243fd32d91fb4bf4dbc646956c0b0c5e22ddbfbe113

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 1e8c3de32bfe9ad65465c3ea60202de7dcde8a58105427216d7858c62a05f534

Formbook

Executable exe 3c7ef54cf3d06546c5201243fd32d91fb4bf4dbc646956c0b0c5e22ddbfbe113

(this sample)

  
Dropped by
MD5 7e9f6af0d0d9cd51a225165099d31e53
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1e8c3de32bfe9ad65465c3ea60202de7dcde8a58105427216d7858c62a05f534
Cape
Cape
https://www.capesandbox.com/analysis/28886/

Comments