MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0c49ccef1033cbd0119355f93a8109dccf48d53f0fc155e152efaa7ebf44a5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0c49ccef1033cbd0119355f93a8109dccf48d53f0fc155e152efaa7ebf44a5a
SHA3-384 hash: 100bd44042ae7f87df14a3daa591939d6abde4e5cd5a971b596f598755a959493ef25eb736a85ac85fba81128eec320f
SHA1 hash: f0e1edcb9fa36a79b98e74c4a53078d9cc60e4da
MD5 hash: 28fcf0d7d61f5f19e97e295726fb6fb7
humanhash: finch-shade-october-jersey
File name:invoice copy.scanned-view-intl.exe
Download: download sample
File size:361'472 bytes
First seen:2020-05-07 09:54:57 UTC
Last seen:2020-05-07 10:44:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Qxx2D9eQBdhqGzEIGW4Ng0Zl4nTZWCt+/M1I38bw06ziWKwjgCRalC+9PZiA0Mbl:QxM9DPIPx5l4P0/M1jbw06z40Mugu9
Threatray 5'311 similar samples on MalwareBazaar
TLSH 8774E158395C32BEE027D9728EE4ECB0D964B1B3335E536B8423058A4ACDE86CF15DB5
Reporter jarumlus

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44874.6167.4845.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Formbook
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 10:57:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udcjztxram6l2aizgvpzhkaqtxgpjdkt6d6bkxqvf35kp27ujjna._file
Verdict:
malicious
Similar samples:
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
7c66608deabea6d49fdb10297968e1b42c61ff456e3877d87a834eff0de01485
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
9377295578549a20aef16fabe32a2cf658c2ca9c522c52f30b2b8e25213a6a6d
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8
+ 5'301 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-85gllk595a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.allixanes.com/ka30/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 03194c3877ecab7f35b94abac182ec97df2af899866908c9b71f0bcd59683cb5

Executable exe a0c49ccef1033cbd0119355f93a8109dccf48d53f0fc155e152efaa7ebf44a5a

(this sample)

  
Dropped by
MD5 afe496bbb8b8d875c20d8e069c1db22f
  
Dropped by
SHA256 03194c3877ecab7f35b94abac182ec97df2af899866908c9b71f0bcd59683cb5
  
Delivery method
Distributed via e-mail attachment

Comments