MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 773fbca16ec67d4820654e39aaa65645f8608a8f7186f12b5ed62498ff1334c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	773fbca16ec67d4820654e39aaa65645f8608a8f7186f12b5ed62498ff1334c6
SHA3-384 hash:	bbc2f2dd9770808c245a15e95b5b8cf7d8ca654f098c60d56ffab05d827fe7da74ae1b6abbb34eecc5186e6d4cf34919
SHA1 hash:	c3f1def4b65bc427e791d2e285beadf5b0dfc654
MD5 hash:	1365ef23d6453fbc22a28ee56bec858b
humanhash:	six-crazy-pizza-colorado
File name:	PI 46788393.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	542'720 bytes
First seen:	2020-06-16 13:09:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:n3H9HvqPgNeZB2YOcOadI0Ryr3fv6nnjqKoe:tHvqPgEZEnxtrH6nnjqKoe
Threatray	5'092 similar samples on MalwareBazaar
TLSH	C9B4BE4B3944869CCF7D51FAA257414423E9DCBFE508E609AFC433975EE6BD20822B1B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing Formbook:

HELO: vps.sandrovicari.cc
Sending IP: 45.95.169.67
From: Bella Peng <info@sandrovicari.cc>
Subject: Revised PI 46788393
Attachment: PI 46788393.zip (contains "PI 46788393.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/11009/

Detection(s):

SecuriteInfo.com.Generic.mg.1365ef23d6453fbc.12262.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-16 13:11:06 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=o473ziloyz6uqidfjy42vjswix4gbcupogdpck262ysjr7ytgtda._file

Verdict:

malicious

Similar samples:

1397dc48d497802e469f2dc1509622cc2aa0382dfe63011767eef0c5cb24e6af

31f02d35e3e941b42298936bd026b39a5d682825bc4b4277945f9f0143617931

4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568

60b16ec5588cc16f4513cd9c999ec223894cef95f7b48c5b180bfcf3852d1521

65cd6807556189c85811f11fb91a981749e7d9760e5a72c0845dd6b8ff93a8f9

66812d316b85e20248c4af1f141a372ec1e434d951f7c6fc51402ab23da87845

89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b

8c0b9f69c227d86700be2a4dc67460fa30e46610e444a7dbe143a9bc5bda1297

bb0c96dd4021c9d4f7b7f85ce5372ef74f7ba8c1a257d2c152db052020219799

e8172cbc3806d750d00a5619e618ffc068b9d8247b5f4da507642e70e32ac3f9

+ 5'082 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/200624-hl3aggase6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 241937fdff6aeae4c5a60bc707c331504d4b5c8df13b97ddd2e8da2107978f0e

exe 773fbca16ec67d4820654e39aaa65645f8608a8f7186f12b5ed62498ff1334c6

(this sample)

Dropped by

MD5 5bda56bf95a4cc0997bdb896cc581b65

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 241937fdff6aeae4c5a60bc707c331504d4b5c8df13b97ddd2e8da2107978f0e

Cape

Cape

https://www.capesandbox.com/analysis/11009/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample