MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ea46ecef461a6c32eecb69c666d239fc9752daba6c1190b0b04d53909c7d842. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	9ea46ecef461a6c32eecb69c666d239fc9752daba6c1190b0b04d53909c7d842
SHA3-384 hash:	c89fb2de2a12aa11be5030cda8f547f70a1903026f4b24085435331e0d4142cb6a48b36f42dc0c10f00952e4838a4bd7
SHA1 hash:	aac7d3ce6647c831b908093498a15b8957fd240f
MD5 hash:	4db48ee37c95d717d94e521dcc0553c7
humanhash:	jig-hotel-freddie-quiet
File name:	Picture2.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	985'600 bytes
First seen:	2020-06-28 07:39:02 UTC
Last seen:	2020-06-28 08:45:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	36c59039a5d2277d95faf77e2b67cda1 (3 x FormBook)
ssdeep	24576:RCcVhdV/AQxyzse6pqGWDO9xaAKWauiVre493e4:fDhqW/P4x3
Threatray	5'199 similar samples on MalwareBazaar
TLSH	9425A162F3414937D5331B7C4C2B63986926BE112E2C58466FF89E4C6F3A7417C2A2E7
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/15166/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ea46ecef461a6c32eecb69c666d239fc9752daba6c1190b0b04d53909c7d842/

Threat name:

Win32.Trojan.Occamy

Status:

Malicious

First seen:

2020-06-28 07:40:06 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t2sg5txumgtmglxmw2ogm3jdt7exklnlu3arscylatktscoh3bba._file

Verdict:

malicious

Similar samples:

0211865d58af36be2009eb29a77a400355a4cb7b8542d6359a6fa304c3f7d935

0df0a487b38b5d9bdbc8e2c05ba4c639dfe09969f5f68c85da43b46c16a48f6b

0e7ec69a6222b2753c0167997838b380acfd47834a6d1e7dd2475fd4fe07d63c

18dc7ad4fd5ffd0ec8b8f12884b41f3ace4e2ba95f704175ebf0a0eead74ba36

1f6b6d481b672f8ed428a044ebffa9e16424317c0081aad3c00cb61a547b90b5

27d591d9f4f1c5c4f3f6ae8f975b1a0ed7d2ffb5277348e59cd32ef5c57e6168

560c76df97fdc5816fa9310921082a04b44b781e60bc77f84b970df04a36d1f4

6715e87f7070a2d7b5b2c71e98a7bade689a504aed3b95654af3494248a501d4

cac635b83d0ee884f8d8bbce419b4c9d13273f4a10c450c2ea50830dc683e3ac

ea12fb909266d6a6f7315c8ffe0fcedb6b63ba660cd91e7c2ac4e6db14596171

+ 5'189 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware persistence evasion trojan

Link:

https://tria.ge/reports/200628-x3wexgdtbe/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run entry to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 9ea46ecef461a6c32eecb69c666d239fc9752daba6c1190b0b04d53909c7d842

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/15166/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample