MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63c1ce2aef3529012b5e2d4453754583f41b5aa0f1f8e12e8e08a8a8abc9470e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63c1ce2aef3529012b5e2d4453754583f41b5aa0f1f8e12e8e08a8a8abc9470e
SHA3-384 hash: b6df44381ea8e24a43151785e11a15103a05240e4ff4e5760ef18dfb22fccd3bfda6fec9a706a2f3fd6b61a97ed8ca28
SHA1 hash: 778ef3670b3a55dbdefaf4f5f756aa1964feb330
MD5 hash: a53604e429dd528d745800b1b533a85e
humanhash: purple-yankee-stairway-pasta
File name:products inquiry.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:235'008 bytes
First seen:2020-07-13 06:27:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:da9IBgNDLHhpjgybHQetK9GVFCF428VyE:U+BcDl2y8WK9GV64Lw
Threatray 5'347 similar samples on MalwareBazaar
TLSH 1B34125F2BCE2772DE35A5707C401716F3FA2F864910FE5C8756328A8A723419E62772
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: cust3.amsconsult.com
Sending IP: 180.250.103.13
From: Andrianto Maulana <andrianto.maulana@tokomodal.co.id>
Subject: Product required
Attachment: products inquiry.rar (contains "products inquiry.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24984/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Possible injection to a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63c1ce2aef3529012b5e2d4453754583f41b5aa0f1f8e12e8e08a8a8abc9470e/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 06:29:04 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpa44kxpguuqck26fvcfg5kfqp2bwwva6h4ocluobcukrk6ji4ha._file
Verdict:
malicious
Similar samples:
1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719
FormBook
1b63db723d1957b88d6199fb5ea958f28de43333d2482a137c5b73b8be78a4a0
FormBook
1e82507cd7b999f2ffa46f4591486b0ff45fb3fc664419279c15677f4a5a20d9
FormBook
5056afb57576d4fc72369a0c11d434406085f7e62f773f3db7e297061cba717a
FormBook
75ce329091d54aa2fcf6cd6f58704493e0f4ac878279c49db239140051341931
FormBook
9d7e42c747de8d1f950c5fb27e4bee452d41140969f7a3af1da9e20e7fde6613
FormBook
a4871c9770bdd0f9454e689411f3ffb3267913568b49f6457d681470770fa92e
FormBook
aa5bb63c10ba7512a7f1612ca4b89768023be9fe17bcdf07665ec06640ca242d
FormBook
d12fda0c8cf02474c474c6cbeba40591ba336a7fdf8d3f164493e5f6200f77ca
FormBook
edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727
FormBook
+ 5'337 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200713-tjlxnjfean/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 83b7a7bf23fa39eeab65f07a021bb708f3c173d29441213853015186f46cb703

FormBook

Executable exe 63c1ce2aef3529012b5e2d4453754583f41b5aa0f1f8e12e8e08a8a8abc9470e

(this sample)

  
Dropped by
MD5 d89a2fa94fe740728bfc9c841556f534
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24984/
  
Dropped by
SHA256 83b7a7bf23fa39eeab65f07a021bb708f3c173d29441213853015186f46cb703

Comments