MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab4583eefcd41b355fe38fcabdfe18450722b162f7b9e8e9ba346040355f4126. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab4583eefcd41b355fe38fcabdfe18450722b162f7b9e8e9ba346040355f4126
SHA3-384 hash: 175bb47c2755471d1ef3c954aa7929e443de9d47ad00a3b6b13f5b9996e2071c3ae6f11cdca6a3a565afafea427638e2
SHA1 hash: 002bc2c5b0c29b12b3853448b9e41b92e86c8860
MD5 hash: 4ff5fb572d684243772cf24b3035ba11
humanhash: maryland-uniform-river-oklahoma
File name:products order pdf.exe
Download: download sample
File size:641'536 bytes
First seen:2020-07-16 08:56:49 UTC
Last seen:2020-07-16 10:05:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash adffce47f22050cf5b8ff3ba2e79cb3f (1 x Formbook)
ssdeep 12288:FB/aceyJY1FpCS93iLgMn4f/H2ETEktvOIpcJpWNNHCf0u1Rak+0f0FyPGyO01l/:Ty1GupCSKHETwxONJPFSGyO0
Threatray 5'126 similar samples on MalwareBazaar
TLSH 32D48E72F6514837C56316789C0B53F8682ABE103D28EC867BFD2E4C5F396A139391A7
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: maghazaei.dns.parsdev.net
Sending IP: 185.73.113.90
From: f.hojati@monibco.com
Reply-To: f.hojati@monibco.com
Subject: Re: Re Re: Re Re: Re Re: Re Re: Re Re: Re
Attachment: products order pdf.zip (contains "products order pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26576/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389497
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246933 Sample: products order pdf.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 44 www.crenegant.com 2->44 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: Steal Google chrome login data 2->56 58 5 other signatures 2->58 11 products order pdf.exe 13 2->11         started        signatures3 process4 dnsIp5 50 cdn.discordapp.com 162.159.133.233, 443, 49733 CLOUDFLARENETUS United States 11->50 70 Writes to foreign memory regions 11->70 72 Allocates memory in foreign processes 11->72 74 Creates a thread in another existing process (thread injection) 11->74 76 Injects a PE file into a foreign processes 11->76 15 ieinstal.exe 11->15         started        signatures6 process7 signatures8 78 Modifies the context of a thread in another process (thread injection) 15->78 80 Maps a DLL or memory area into another process 15->80 82 Sample uses process hollowing technique 15->82 84 Queues an APC in another process (thread injection) 15->84 18 explorer.exe 3 15->18 injected process9 dnsIp10 46 sortfinances.com 34.102.136.180, 49738, 49739, 49740 GOOGLEUS United States 18->46 48 www.sortfinances.com 18->48 60 System process connects to network (likely due to code injection or exploit) 18->60 22 WWAHost.exe 1 19 18->22         started        26 ieinstal.exe 18->26         started        28 ieinstal.exe 18->28         started        signatures11 process12 file13 36 C:\Users\user\AppData\...36NLlogrv.ini, data 22->36 dropped 38 C:\Users\user\AppData\...38NLlogri.ini, data 22->38 dropped 40 C:\Users\user\AppData\...40NLlogrf.ini, data 22->40 dropped 62 Detected FormBook malware 22->62 64 Tries to steal Mail credentials (via file access) 22->64 66 Tries to harvest and steal browser information (history, passwords, etc) 22->66 68 3 other signatures 22->68 30 cmd.exe 2 22->30         started        signatures14 process15 file16 42 C:\Users\user\AppData\Local\Temp\DB1, SQLite 30->42 dropped 86 Tries to harvest and steal browser information (history, passwords, etc) 30->86 34 conhost.exe 30->34         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab4583eefcd41b355fe38fcabdfe18450722b162f7b9e8e9ba346040355f4126/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 08:58:09 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vncyh3x42qntkx7dr7fl37qyiudsfmlc6646r2n2grqeank7ieta._file
Verdict:
malicious
Similar samples:
11c42a22bd49e9f723718ff607d073bfd3d47afd70ce7152b7329bff2013366c
38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249
3c7ef54cf3d06546c5201243fd32d91fb4bf4dbc646956c0b0c5e22ddbfbe113
58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a
68b0e57c728398876c4a835e93ff8e5fe6e90d05175a8815ac17b8a4ba4c68cc
6afac1117b8398317f5eb5f8c66ce52c0fcf2e438a0d40743a584eedd17ac260
7d76b11ffd54f1f7f61dae2d07689f986a40a6bcf79e2606610f77a5c7bb20de
7f9c9b969cacb0ea5d679baff92d33438a27ecb67786022aa03f9f43a4ce56f4
a678db2b0d3f84a7edaa2c100192a43397a7be3d2c482b34d7bdaf1572f00720
ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153
+ 5'116 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200716-ls395mar36/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Gathers network information
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds policy Run key to start application
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 367a15201aa2f5e4e0ce8eeb2db718504b653ca2c2d2dab61098b0d97536ada2

Executable exe ab4583eefcd41b355fe38fcabdfe18450722b162f7b9e8e9ba346040355f4126

(this sample)

  
Dropped by
MD5 dc66bdbec810326ec693517dcbd213b6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26576/
  
Dropped by
SHA256 367a15201aa2f5e4e0ce8eeb2db718504b653ca2c2d2dab61098b0d97536ada2

Comments