MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da
SHA3-384 hash:	8295dd225aa237dfc1d836d0013a3b0924710bec78450d6c143f5ab733a19283c5c8b751845a23babb6e116f8bec95a5
SHA1 hash:	a50f19294e5553b62f26792c43b5ee1d94efe04e
MD5 hash:	790d5b40c6c93e4b5b404c61de360acc
humanhash:	hot-april-yankee-triple
File name:	Mopigyo.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	559'616 bytes
First seen:	2020-07-09 14:26:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9a50e73bc75a3005fac729605bdf4c02 (3 x FormBook, 3 x RemcosRAT, 2 x AveMariaRAT)
ssdeep	12288:tvldw9ecty5wgPvh3NQFoVvVLrkX6dtOFRlA4B3zBKzf:lfw9DKth3NQFoDLrkXgtYRlA4lz8
Threatray	5'145 similar samples on MalwareBazaar
TLSH	E9C48F72F2D08937D12F1A79CD1B96A8583ABE103D28DC8A7BF52D4C5F39651343A1A3
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: email.iranjava.net
Sending IP: 64.79.79.178
From: info@avasanat.com
Reply-To: cherian.deilami.ae@mail.com
Subject: Details of Order
Attachment: Details.zip (contains "Mopigyo.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

81

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23899/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da/

Threat name:

Win32.Exploit.BypassUac

Status:

Malicious

First seen:

2020-07-09 09:28:44 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=otlu47nheqauyf4jamt7grslinjrj5ea5ndfknzdzydwnfa3hdna._file

Verdict:

malicious

Similar samples:

0efa7703690d3fe9df70c81d7dea974aa710c7c55a76fd50e6a050bc76698d89

1940c82d728454e9a43d2efc7dd0033fcbf58880b32d227830e54a43b885ca3c

2680be0d6ab364c09e9ca33e93bc0dfa3de6906e014bdb4aafc77ea9caf76650

2b8f048a61ef0fcd4a8d4f54cf1a22cf637883aae8b542f981ead6f043f02ffe

426a7d5241a207054d695ea06f8133260c2684c5598420954f0fde91a03fe059

5e2ceeaf0867b931ec61f6e4c6bd5403e237353eda4816509038fdec470b6ddb

8ce629f720939b40acc1e571be11a81967e80dd4deb2a2b2a140623d64ea008b

97d8ae62cb751e857b04d9eaa68ee2acce3d7243009bdb04639a729cdfc7cbf3

cf6bbd5a9224dcd52aa71c16288945611a3348ca9953f32fa92a4c481c307195

f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2

+ 5'135 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/200709-twynh4tqsn/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Adds Run entry to policy start application

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 4a6e3a908048640461807613cb1dbee0600672d43d5d95ebaa05f5786f4904e2

exe 74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da

(this sample)

Dropped by

MD5 64d508b8a83b236a355a0f31d60bddd5

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/23899/

Dropped by

SHA256 4a6e3a908048640461807613cb1dbee0600672d43d5d95ebaa05f5786f4904e2

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample