MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3
SHA3-384 hash:	db6561de6b05a9b900a790b2b47cd24cfc9d138f92e5089c7335c9809638870864571b0f48afc334a778be1263f5b839
SHA1 hash:	98449e2e15817376720a807647ad76c66f7ec0c8
MD5 hash:	c545ea84b1baefc28a6aa0339d5f652c
humanhash:	batman-low-princess-magnesium
File name:	ORDER-A01KS06499.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	946'688 bytes
First seen:	2020-06-25 12:43:36 UTC
Last seen:	2020-06-25 12:43:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a29f4efb911c4906418600fd25679688 (11 x Loki, 10 x AgentTesla, 2 x HawkEye)
ssdeep	24576:o69dI9Dl7bPF4sm9dNdNByMEfAm0s0qwV0:o696/ieAm03qL
Threatray	4'363 similar samples on MalwareBazaar
TLSH	B1159FA2F2B14433C1723A3B9D6B52FD54297E11ED2869462BE4DDCC9F3B24138352A7
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/14278/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

PUA.Win.Adware.Webalta-6862190-0

SecuriteInfo.com.Win32.Herz.B.10803.7096.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-25 13:21:45 UTC

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qrw2cuayknkbkvug2t25ixwv2b4rzofjo5u6opryum6e2q6hlwzq._file

Verdict:

malicious

Label(s):

netwirerc

FormBook

0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb

FormBook

3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0

FormBook

498fbde70a7375ef095b51ad4ad72798d26a2d28dd82e155e9afc31e95773bea

FormBook

5b5dcd2dd420cb6a9ef69b94fb8340145ca859897285ef38d87b38b1757af463

FormBook

5f6ecbe9757644eb46ceaef0b9e8354e63bab83b29bf47f4812c84beb08acb4f

FormBook

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

FormBook

9c5d88a1518cd310e763757d9acd267ed5741d6c79036e1053381729a0d700ca

FormBook

e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c

FormBook

e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6

FormBook

+ 4'353 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware evasion trojan persistence

Link:

https://tria.ge/reports/200625-xknmv8q53j/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

Reads user/profile data of web browsers

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/14278/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample