MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49
SHA3-384 hash: 1496c05d00342030cf4d4c25cd886e88462aab214669b6cc82d02e74f3da09ddab2cb9c9033a4b680a78143c6aaed349
SHA1 hash: 99ee116f87627709feee36edd6f6f4043beb2f08
MD5 hash: 97f87622e4196909824e884ee7d7c0ae
humanhash: timing-oregon-batman-happy
File name:Yceuqvs.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:946'688 bytes
First seen:2020-06-26 07:02:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4ea71003f2e4bb27bd8bad8c2c3305e (6 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:6s7OYB2c+UHVuEp4tZEmfZE7wuLzMLqPbziLlv039vSZ+mzpdgjTV9Q:6sKYIguEpKGk+XicU9dgl9Q
Threatray 5'488 similar samples on MalwareBazaar
TLSH 21157E23F2914477C1631678AC6B5769993ABF112E28694B6BF83C0C5F393513C3E29B
Reporter abuse_ch
Tags:exe FormBook HostGator


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: gproxy3-pub.mail.unifiedlayer.com
Sending IP: 69.89.30.42
From: NIDAL ISSA SHAKHSHIR <info@softtissuepaper.com>
Subject: PURCHASE ORDER
Attachment: PO8559944.rar (contains "Yceuqvs.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14654/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.generic.ml.6960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-26 07:04:07 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idrazqzbmi67gjy6f2t4xz27mryjnkfda435ehio7do33qz2p5eq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455
FormBook
4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966
FormBook
58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a
FormBook
5f9b8ce62abc0d49b1bb253bd51286151a8b3d3f09fdb9e37cd964f80df26669
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
8fa8f67945e7ad85b3afc20abed666c8c69e9b0e592b9002c5bb78438d093d3e
FormBook
9519395df08cc1e952c5d7bd57b705f105dcbe6a59a09f4ae6163873cd75c9bb
FormBook
a93544715a31933d1ac1584d3a28bc7121872569baa1e3a7ecfed06f2d65031c
FormBook
d15bb0b2e07a91123300b30b6b7f26774e873a7bbbf677cdfd1a7c9547a1e353
FormBook
dda2e0d9e1057b0dd8c64979c045e2909236d3ba0669f490b077547aa0f75827
FormBook
+ 5'478 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware evasion trojan
Link:
https://tria.ge/reports/200626-27a59cdq6j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Adds Run entry to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 30cdcd812f7827f567af81dbea7cd0665b8dd5c61a071f9f4df334d9da8d2642

FormBook

Executable exe 40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49

(this sample)

  
Dropped by
MD5 ca96da9a0d1475ef365ff30e6cbb4af0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14654/
  
Dropped by
SHA256 30cdcd812f7827f567af81dbea7cd0665b8dd5c61a071f9f4df334d9da8d2642

Comments