MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72
SHA3-384 hash:	09ed071695f674595b9bbc84ee6b4ba6044640a746ef8a27d5519a97b0d6dcfb05c5e7023455e7d291edfeb64c99d3cd
SHA1 hash:	adf664784193f93ae2de958406c7a8e17b1ede23
MD5 hash:	fe83df2db91d0d208f20b5092fc64980
humanhash:	paris-xray-freddie-kitten
File name:	file.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	1'092'096 bytes
First seen:	2020-07-03 12:41:42 UTC
Last seen:	2020-07-03 14:13:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9c21823864d17748e41e461aad6df761 (3 x FormBook, 1 x RemcosRAT)
ssdeep	24576:bwBWwQ4IMud9KLLM1nmViXJhk4DGyevisgaL:bUQzrTcViXr6zL
Threatray	5'350 similar samples on MalwareBazaar
TLSH	34357E52F2914837D5231A789C6FD7786829BE052A78984E37FD3D0C2F76741383A68B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

From: Marija Manojlović <mmanojlovic@molserbia.rs>
Subject: Re: Нев Ордер
Attachment: file.zip (contains "file.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

91

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/18743/

Detection(s):

SecuriteInfo.com.Win32.Injector.EMOA.24241.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-07-03 12:43:10 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sh7tqo3g6aywmjl3x5rjvt5lqywce2pajn3lyslriuqkk4e6lzza._file

Verdict:

malicious

Similar samples:

01563eeff9cd4cb84253c2c9bc40762d118780ab89c6c7b82ce9c9cf0a56a818

017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc

61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb

86d0178097eebb5010e24650ce79f80f19567ad2872f0f0b7325761a01cf67f5

8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e

a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044

be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f

c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde

da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313

e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c

+ 5'340 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/200703-s9d9klpa7x/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Adds Run entry to policy start application

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 609075c3e71ac6ad3b733533ff357478eccc0457ec47f9dcc42ca86cf0d6a28b

exe 91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72

(this sample)

Dropped by

MD5 49a3ce817acc12ca38120193f7707256

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 609075c3e71ac6ad3b733533ff357478eccc0457ec47f9dcc42ca86cf0d6a28b

Cape

Cape

https://www.capesandbox.com/analysis/18743/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample