MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a405c8cf0c233bddd6849726247d1426589e3a709e0a0378be86d93868fac48c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a405c8cf0c233bddd6849726247d1426589e3a709e0a0378be86d93868fac48c
SHA3-384 hash: 81abaf842cdb40c5240ca7d1bb463b981c227cce60ae042d39e102a9511e23959ef019a89b37b825fbc076690c079ea2
SHA1 hash: 9784cf4ade8b26e4ec31c3b7ae02bd7b7180daeb
MD5 hash: 3f4f53f1ab6fcb15e70eb577a45a2c46
humanhash: kansas-mexico-india-alaska
File name:Document2.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:665'088 bytes
First seen:2020-07-09 07:47:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c769aa33458940b0c0e3838f7c635f27 (4 x RemcosRAT, 3 x FormBook, 1 x AveMariaRAT)
ssdeep 12288:Z1uSw3tWopwOdOGakJ1olUL+zUQJ75wQnGateqDaitL8SU:Zkx308tOGakJ1gh4QJdwQGMxDaML8SU
Threatray 5'142 similar samples on MalwareBazaar
TLSH 09E47D52F6C09877D02B1A7DCC5FD664683ABE152D24D84A3AE67E0C4EF6341343B29B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: slot0.sapoibest.com
Sending IP: 45.95.169.186
From: Ryan Todorovich <info@sapoibest.com>
Subject: Urgent
Attachment: Document2.img (contains "Document2.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23544/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a405c8cf0c233bddd6849726247d1426589e3a709e0a0378be86d93868fac48c/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 23:32:08 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqc4rtymem553vues4tci7iuezmj4otqtyfag6f6q3mtq2h2ysga._file
Verdict:
malicious
Similar samples:
0098bf2ef8230d9bb30b451868272ffb271fe63a8c248bfc9ce569991c19f279
FormBook
0e661b488a5571afb39ddf31bda089f7c032ed0a077501c3b7c8a31a0a6442d6
FormBook
2460c3a92796b5c40abef5471ee446623489b3c1bfb70f1015ab74961d477561
FormBook
5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8
FormBook
5e76ddd6dfa4215c3dbd7269318d15a5e5fae698e65600df0aa3f16639d8fc44
FormBook
5f6ecbe9757644eb46ceaef0b9e8354e63bab83b29bf47f4812c84beb08acb4f
FormBook
8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2
FormBook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
FormBook
a75706020d8d39c3ad03dafeb71baf8e555cbc0223f656aa9335420264a9773e
FormBook
d4405060b30fab298c2747fc58ec301dfa160be2df3e335a78900fac044a2493
FormBook
+ 5'132 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
evasion trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200709-qy8bm4pbvn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
System policy modification
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 637073642bda3275e0047ae8e09d7ef51537d400fa5f53931db9d22f2287cff7

FormBook

Executable exe a405c8cf0c233bddd6849726247d1426589e3a709e0a0378be86d93868fac48c

(this sample)

  
Dropped by
MD5 9bfaf22877d99dc0f8b0b2d9edc88225
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23544/
  
Dropped by
SHA256 637073642bda3275e0047ae8e09d7ef51537d400fa5f53931db9d22f2287cff7

Comments