MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a58e85fa61d98c70d0f6bf421b73cf73709f36e77578fd52fc05cc85b4dd5419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	a58e85fa61d98c70d0f6bf421b73cf73709f36e77578fd52fc05cc85b4dd5419
SHA3-384 hash:	abcae2a3b3d9e8f0b8a905bb27d22726fb0fe190acd9e06c9fc4187b61a33d9b7b8e4d6bc6682479c2d1f876679f4124
SHA1 hash:	27f6ae6e3ce3b0b429034fbede44a7a1127b10d1
MD5 hash:	849ed4e93470692daef2a0cbfafe2c00
humanhash:	bacon-avocado-nineteen-mountain
File name:	RFQ.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	285'184 bytes
First seen:	2020-06-16 13:59:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:fFNv6bQkAhZIHb6gZTI3YtEFeXVHj/B9+kOKqYRDXGheALDOwHjIF0uDMyEZVd:eHb6CI3JFeXxj/f/qYRTGhe6O32uDDEJ
Threatray	5'156 similar samples on MalwareBazaar
TLSH	6F54F10433A8AF33D5BD9BFCB8A06140833672692952F74CAD8670FB2676B414751FA7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: xala.com
Sending IP: 216.108.232.87
From: Han-Su Park <edwin@barberajmeagher.gq>
Subject: RFQ-견적 문의 요청
Attachment: RFQ.IMG (contains "RFQ.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/11040/

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Masslogger

Status:

Malicious

First seen:

2020-06-16 14:01:09 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uwhil6tb3gghbuhwx5bbw46ponyj6nxhov4p2ux4axgilng5kqmq._file

Verdict:

malicious

Similar samples:

116078d29890c8b0d748b2f2709d2768f7ad9ac04688db1f44189f019f62050f

56b9fd1bd9c1f7466020c1c2fed5d4bbbf1394c711921e91d8dc74fd7c6862a1

7aaba6dcdbb2649a4beeb5e877f26e4ff90aa1c59cb289620dc0098ec88cc663

7f7f93ae7c3ce6bd7d154c2e2188bd39c7d511df8fc890e46085afc34acdba2b

8347dcd8992d73ce59c612f2c59381d084fb88fbf2d30f167e95c8ddd4818dad

89c61ae874590337a9538aeae605e8350af374e4c442a46f487f44b11d532915

d338523f3836e958ad511ae3cca005a255a43bcc684174bf5928246fd477f2cc

df8b72fbc5b86764cdbd998a0cbdbe404f3253f1a51029d5b46a778feb4839a1

dfa8fa537be02efde6add76862693fb2f099e3339798cc1d05a2feff5409ab86

f68b09a8adc07e084eda2fa581e9111716bb34bcba0565da70bda46860ce7c64

+ 5'146 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/200624-vxbc4zw9mn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img ef71536e0de1e1ce60b3334191aaebc6a66cb624d75c20b236f5a9c69c845bf9

exe a58e85fa61d98c70d0f6bf421b73cf73709f36e77578fd52fc05cc85b4dd5419

(this sample)

Dropped by

MD5 108d9fd8eb6e4f564629d32ef5c97533

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 ef71536e0de1e1ce60b3334191aaebc6a66cb624d75c20b236f5a9c69c845bf9

Cape

Cape

https://www.capesandbox.com/analysis/11040/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample