MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22
SHA3-384 hash:	2a81b4deda487346691feeb20467ebd5a054ba554f283df89f2762f32e1f3e2a8fbe9159b1f9e07e4625b58597446567
SHA1 hash:	ae5ec84f56c65239862745ef217d6b883f0375d6
MD5 hash:	b299b28f77a9de1c0f5bb30cf8522aa2
humanhash:	xray-finch-october-delaware
File name:	benzway.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	702'976 bytes
First seen:	2020-06-30 06:04:48 UTC
Last seen:	2020-06-30 07:01:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	24f26e153c9b6068c0a4770547eb6d9e (14 x Loki, 7 x AgentTesla, 2 x Formbook)
ssdeep	12288:LCbpcLhilrm7G8oclWEAroCo3DQmTl7/RmATiGn4NAq70ix:cuLhi80Jro7FR1H4Nxwi
Threatray	5'318 similar samples on MalwareBazaar
TLSH	B6E49E22E7A0443FF072367D9D2B57BC982ABD51392C79472BE4DC7C6F292413926287
Reporter	JoulK
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

80

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/16796/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-06-30 06:06:05 UTC

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vzbyg4hnu4f2jctwhrjg4ynqndqw2eol2ahjznie23y65n2efura._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f

4a2e8f13ad2ce022158574edb3ab566db4544ec1dcda648845b16bc754f4e321

4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa

5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff

8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2

8d1512de63fd1bf66f80c8ec2ec640464a6ce986101849488372a38fed2bcfb6

9bf2e6afa0656c8129746c95784146ba85f15ecf46081644192e5bbfd5899144

a9a23a0d9df00e223a3c3b5c9ab750ae576b3217752e7a054435291b4d10a970

c16bfc5c97dd0ee447b858daeaae14962530922e87502802fa5148ebe5990518

ee4ae13d3fd3b58d86e270db11937476b4b7add1673983c2c28ed4d7dcc75552

+ 5'308 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

evasion trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200630-jpqy9jlgvs/

Behaviour

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run entry to start application

Checks whether UAC is enabled

Deletes itself

Reads user/profile data of web browsers

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/16796/

URLhaus

https://urlhaus.abuse.ch/url/402141/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample