MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3
SHA3-384 hash: 0f6c0ca7670c4cdfb279c4dd2751ee8cbd9308a979c8b8670cc3f47d9bfe307055da318ed6af628468ef827e7067b333
SHA1 hash: f1725101ee1c02864a3e829d08d9062d9f05a694
MD5 hash: 51c0b8ed8fefbc54a2dee932441e60f5
humanhash: mockingbird-king-violet-delaware
File name:Attached is list of our purchase order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'042'434 bytes
First seen:2020-06-29 07:26:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d0e79988ecb959886127ac7817e5abe (3 x FormBook)
ssdeep 12288:iLmPCfh8bqyp4hVV8E2KnYJuhEFNznsjgieOVEjvSnyDnAtrlk3bB2eBocI:iLpfNN8EeHTzbnLmxlkLB2MW
Threatray 5'430 similar samples on MalwareBazaar
TLSH 1F259D23B3916C3ED13326789C5F46E45A26BF002B28A64A27E53D7D5F3AF5138991C3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.linux94.papaki.gr
Sending IP: 195.201.245.217
From: Nissos Kivittis <nissos.k@bwl.com.cy>
Subject: Re: Re: Re: Re: Order
Attachment: Attached is list of our purchase order.zip (contains "Attached is list of our purchase order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15618/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3/
Threat name:
Win32.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 07:28:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnsu3ilofrblevd3rbght4ecsiklgtqndw32wcwsgjy2m3zstdbq._file
Verdict:
malicious
Similar samples:
3c758c3133fb2a7c7c51b2ec84028759bc99e1f3ca3bc22c1046d90f79801f76
FormBook
41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab
FormBook
61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
FormBook
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
FormBook
91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72
FormBook
a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044
FormBook
c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde
FormBook
cc223497fe89e227d0696798ffd12ef6037ee71dfe047483f6a8f1be69bf5754
FormBook
da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313
FormBook
e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
FormBook
+ 5'420 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200629-6zmna64pm2/
Behaviour
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip bc5af6d6aa8b703a81fe8ba15788bf4de8bc9f5c69d300eb15559df8960b3232

FormBook

Executable exe ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3

(this sample)

  
Dropped by
MD5 7101fce5a4db622570268cdb05a1fc42
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/15618/
  
Dropped by
SHA256 bc5af6d6aa8b703a81fe8ba15788bf4de8bc9f5c69d300eb15559df8960b3232

Comments