MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52ea3c1f51eb3a8920e2895ebe7d54ed9b010407775434da9c47fdeceae7af84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	52ea3c1f51eb3a8920e2895ebe7d54ed9b010407775434da9c47fdeceae7af84
SHA3-384 hash:	6f9c06a12e60d1daf560810e48c28c16ee4153b1715fdd2c5b86af24f4cde7746388e2847d01cf286edcb64956b66e3a
SHA1 hash:	0e971179de4cca5040b859798438430c31766ff3
MD5 hash:	6098046ed0dea1396f4c88e1131918d7
humanhash:	montana-kansas-glucose-vermont
File name:	6098046ed0dea1396f4c88e1131918d7.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	445'261 bytes
First seen:	2020-06-09 10:26:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep	12288:tan8Ey++Xah8bhA/jS3zV+Hh1dUWrIOlE:vEiahwhA7WVih4WrxlE
Threatray	5'750 similar samples on MalwareBazaar
TLSH	019423683FA0F83BD15207742D52FAC5AFA1CD036245A78B67E834583831D5B9A3F897
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

80

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL

Gathering data

Threat name:

Win32.Ransomware.WannaCry

Status:

Malicious

First seen:

2020-06-09 10:28:05 UTC

File Type:

PE (Exe)

Extracted files:

50

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=klvdyh2r5m5isihcrfpl47ku5wnqcbaho5kdjwu4i766z2xhv6ca._file

Verdict:

malicious

Similar samples:

0e661b488a5571afb39ddf31bda089f7c032ed0a077501c3b7c8a31a0a6442d6

0fd1ddf542f9746a9e25ceb976d416b8385d837d5e71bb02bd9b999083620d9f

4601b57fb9acf7117686773d8616efcac498591a6b650acc9a4f96871e9694b5

6142ce64bdf7d4373dedcadb54fb06efed10595a65713783f2930eb1ebb9f989

84b4040d764a758414d6e7d913161c97846e563eb18e3497f207670f9d239bc8

8bcdcd3db1dd3688101b18e4c090194ce7ac4e96ef206e56d5595e467cf25e46

8df5858f489a1dd9f113eda4dbe0aded3fd5a128dd32e991e94c5a2b7623ba64

a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b

b1d9adc8ee80f24960fb84adbb029695e49763faecbf559f92410d44bf28b0d3

dafbe8f50df58d704b31ddd6cde8fafa09627ffc4dc63b774104376fe924c3e9

+ 5'740 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-jgarx1yywn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.artiyonq.com/pw9/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 52ea3c1f51eb3a8920e2895ebe7d54ed9b010407775434da9c47fdeceae7af84

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/384523/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample