MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7246bf76c555a29cb79c124fb1e17001ffcd4625e99fdd552ff9fe88427a0e48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7246bf76c555a29cb79c124fb1e17001ffcd4625e99fdd552ff9fe88427a0e48
SHA3-384 hash: e297412191d218ce4e5b68432c1579eef9333ac8e6b2185c67628ded58c505c394b1dbc1c7dc11963725226fb4abff89
SHA1 hash: 28290d7f3927ac890fffa4506ea4321cf10fc851
MD5 hash: 4a73fb862eaf3b96a0759fce98bc05a4
humanhash: georgia-grey-pip-thirteen
File name:Cdcdgmj.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'490'432 bytes
First seen:2020-06-16 05:18:39 UTC
Last seen:2020-06-16 06:12:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e25804e2476796e2e14492adb0d1133c (7 x FormBook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 24576:JsE+vF8Th7G6rdhASVNe1/hqIiHzITM7x:JsEmIQSjiBiT
Threatray 124 similar samples on MalwareBazaar
TLSH 55658D37A3D17476C1E63EB9D816C69E58DEBDC01A94107F1AEB4B0B1A2B661333C172
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: sonic315-14.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.134.124
From: ABDULLAH <ozoigbonduoneofenyi@yahoo.com>
Reply-To: heidimendozah3@gmail.com
Subject: Confirmation of Proforma Invoice
Attachment: Order.rar (contains "Cdcdgmj.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10558/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Webalta-6854075-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

Gathering data
Threat name:
Win32.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 05:20:08 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojdl65wfkwrjzn44cjh3dylqah742rrf5gp52vjp7h7iqqt2bzea._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2302aa79bb34eb683a91324995a9fb366bbbe55dffb53deee00b842e75ad19c0
FormBook
23808af89fdb7af9f2b747f6a339122177e7abc79136a411f24831cf329606b2
FormBook
6ecd0fd68547a4d37029ffff903e0fb2698b98c8774aaa9b2593b4f4936cd812
FormBook
70dea2916d0ca9c6cbd5414addb05007b7ece30a36129de2733cd5373710ee99
FormBook
785790e2814af826f66cf31460fdcf7ce48513c6f451fca29fa52f101dd65b00
FormBook
7c7a7c3e89daeb57bcd8fe5a895461161efafa3a5b2f111e0e23aff6b3f9535a
FormBook
91864b23c3bfb54a354704f3fa769b25d641fd510aa4854a45f5de5956505e91
FormBook
b4cc964b3b1f415fccc67c3a67bd73c6841a6438c4e0725fe8b44602ebece89b
FormBook
c224d671ef8ea5bfdc03b9a33d7ae043827b83c2ddc96e7ce128efb36f26fb9e
FormBook
c24fa17848ef43bb56832a37269703dc8ee023e71ad2c3ff95a421288a63f20c
FormBook
+ 114 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/201109-38zabrcmls/
Behaviour
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
ModiLoader First Stage
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 11229717430c541b88de006884dd7a9c42d5ef2ae24433f7c92b4711ed4a6529

FormBook

Executable exe 7246bf76c555a29cb79c124fb1e17001ffcd4625e99fdd552ff9fe88427a0e48

(this sample)

  
Dropped by
MD5 9b0ae214979397cde1bd2fb2a075bf42
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 11229717430c541b88de006884dd7a9c42d5ef2ae24433f7c92b4711ed4a6529
Cape
Cape
https://www.capesandbox.com/analysis/10558/

Comments