MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966
SHA3-384 hash:	065d27d8f8a389b367bee04b9d32fc612484ee285f7583a6f08628819e7bafc79cb15cce26c2949a14beea78011b6ce9
SHA1 hash:	ecae724d479f576e52427220acee261e943ddf96
MD5 hash:	c53846c2fb17b0371e5ea694c7131a6b
humanhash:	fish-fruit-earth-green
File name:	yafucqd.msi.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	678'912 bytes
First seen:	2020-07-01 19:11:42 UTC
Last seen:	2020-07-01 19:49:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4b522d1337a03224b843b6d2e54f5f21 (2 x AveMariaRAT, 2 x FormBook, 1 x RemcosRAT)
ssdeep	12288:KsGedX0ZE/lT+YhK6Aosb3zvIje3qBrJCSuAsofYM5PajSak:jfmZ6x+WHhi3zAxfCSuAsIYMB
Threatray	5'273 similar samples on MalwareBazaar
TLSH	D0E48E22B690C437C07619389D0BBBF45936BD10AEE4A9873BE87D4C5F34A913939397
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

89

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18264/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966/

Threat name:

Win32.Exploit.BypassUac

Status:

Malicious

First seen:

2020-07-01 14:11:37 UTC

File Type:

PE (Exe)

Extracted files:

53

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jbcpq3pemhmifkupxjt74v4ws25wrznfuawxewzl3fzscapynfta._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

0e319c36c39c8504a0349445b2282bc450758b7e670a3477c0653b1daafffaff

263462d86535967bddee75eed15d3e069942b2bc839102bc5afd4b4ea69ab9bf

2ee68069c79304ab2bc383e02c7d9f07ecdc9f91e9680afe381c72715225a89e

3c5ef5423e281a468e9f0381327a9635f20626a98054e769fc08dd4270db01e4

4170e48189174a9cc84f6c019f454a20e30a35605be0f8e2a3e26a516e2c1090

4b4c8b74b632893033dfa8d4099db76155f6941ab5a63ba7c5a680168ad73b1b

6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382

8255284fa792c767fd2464364f12f297fa92a38383d2303d7cf9dcb8b74bdfa5

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60

+ 5'263 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/200701-397e9jt24x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/18264/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample