MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9519395df08cc1e952c5d7bd57b705f105dcbe6a59a09f4ae6163873cd75c9bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	9519395df08cc1e952c5d7bd57b705f105dcbe6a59a09f4ae6163873cd75c9bb
SHA3-384 hash:	812e25ed07c2c2bbb8283291de242d651df7843a90056a15bf8f450c7c440f04846fd917d878978804e3a5345ac26421
SHA1 hash:	fbcdcc4b51248f8ce030de813f2d447175cdd331
MD5 hash:	8e467cb6f90fed9f8511eeef1580e193
humanhash:	romeo-utah-carolina-kilo
File name:	8e467cb6f90fed9f8511eeef1580e193.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	829'952 bytes
First seen:	2020-06-26 11:39:12 UTC
Last seen:	2020-06-26 12:46:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	40976bd0dfb9d8835690180f02eb563a (3 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep	12288:9HDP+feVTP9D8jFUnohgvBsMWwo1fkR3CcYs6z7x7J13Mwb:1LVR9gjF8ohgvBfo9kchz1h
Threatray	5'370 similar samples on MalwareBazaar
TLSH	F4058E62F2915A3BD0321B7C8D1B53985926FD112D2C9D866FF89F4C5F3A3817C292A3
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

87

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/14877/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9519395df08cc1e952c5d7bd57b705f105dcbe6a59a09f4ae6163873cd75c9bb/

Threat name:

Win32.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2020-06-26 11:41:04 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sumtsxpqrta6suwf266vpnyf6ec5zptklgqj6sxgcy4hhtlvzg5q._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b

1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455

40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49

4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966

58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a

5f9b8ce62abc0d49b1bb253bd51286151a8b3d3f09fdb9e37cd964f80df26669

6c7d10402361556d564ce74e16a05024a4e0ad31da03b98fb69d4f7c0079730f

8fa8f67945e7ad85b3afc20abed666c8c69e9b0e592b9002c5bb78438d093d3e

a93544715a31933d1ac1584d3a28bc7121872569baa1e3a7ecfed06f2d65031c

dda2e0d9e1057b0dd8c64979c045e2909236d3ba0669f490b077547aa0f75827

+ 5'360 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware evasion trojan

Link:

https://tria.ge/reports/200626-zgavlql7ve/

Behaviour

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Checks whether UAC is enabled

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/14877/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample