MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 939863edcaf7c655fb6e3020bdfe5138bf6e61faa3d3b037f113216ccc1be55a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 939863edcaf7c655fb6e3020bdfe5138bf6e61faa3d3b037f113216ccc1be55a
SHA3-384 hash: 54337c813fee975e9eef7b269286f13d2c1312867725935b411559b187a64305eb2e937460038cdb014add1db691f51c
SHA1 hash: 09a79460db647ec8c12328bfc9b8c4daaa86cf72
MD5 hash: eec43b73ccd5f26bbaba81ffc080a573
humanhash: comet-pip-rugby-sink
File name:New Order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'259'520 bytes
First seen:2020-06-15 05:37:02 UTC
Last seen:2020-06-16 13:17:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 134a427d8e11e30f2e4389847cf6bf3c (3 x FormBook, 2 x NetWire, 1 x RemcosRAT)
ssdeep 24576:RBlDgE7EmXWAqSvg439vGSVNe1/hqIiHIVd7:R7DlC+GSjiBioP
Threatray 74 similar samples on MalwareBazaar
TLSH F0456C32B2A1C433D5631A7CDC5B92FC9826BE10A92859877BF53D4CBF39741342A1A7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: orange11-orange404.mynewserver.com
Sending IP: 185.29.25.171
From: info@lstc-lb.com
Subject: Re: Re: Re: New Order
Attachment: New Order.zip (contains "New Order.exe")

Intelligence

File Origin
# of uploads :
4
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10247/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.CryptInjector
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 05:39:04 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=somgh3ok67dfl63ogaql37srhc7w4yp2upj3an7rcmqwzta34vna._file
Verdict:
suspicious
Similar samples:
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
FormBook
178d42beb97c29b2c1e2ee08ac527d454e234c183ef03a29c357856443f9191b
FormBook
2e5d08e10497cdd14499b4ae823f7d639a738d37784882db758e70fa3804e4e9
FormBook
862b45e2c98a175f625797db1d3342e0d9dc35b79e3386deb42c06b1918867d9
FormBook
8aa7a5eb1247b0d54b2bd29dd6b2d563ca30da4990c8220f61da826fe5941452
FormBook
a7b2c2dfcb01c3c3b3dc945f3b8d1c907a4de8aba291241466a9da4c69492a29
FormBook
b30f264fda73db6970c313776095289e5fc0ee77f6be19010e2f9e125205e845
FormBook
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
FormBook
e65953c2d6e33c5da860ceac22ef685533e9b43bb3986e8e136eec82a5f5e547
FormBook
f67653642f6bf485f584df4fbd546966e16fe413a2d152014dac2b586a656397
FormBook
+ 64 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/201109-dtxq6affta/
Behaviour
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
ModiLoader First Stage
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 0fa91b5908e67e139b25b626a047da5ab3003187d0b22ccad00cce2e503a350f

FormBook

Executable exe 939863edcaf7c655fb6e3020bdfe5138bf6e61faa3d3b037f113216ccc1be55a

(this sample)

  
Dropped by
MD5 c607e8da28ea05a0d8af082f73a1e889
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0fa91b5908e67e139b25b626a047da5ab3003187d0b22ccad00cce2e503a350f
Cape
Cape
https://www.capesandbox.com/analysis/10247/

Comments