MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
SHA3-384 hash:	d64f2f1dc489ad875ec2331661da151f0618ff810efefec96b7b4e9bf0324408922bdfbb9c47d6051674a512ca599d76
SHA1 hash:	25a60cbd9023e950f8ac80319b94bf9f4384a370
MD5 hash:	63e5617320dbc93f53d5f474a9b97e02
humanhash:	virginia-michigan-december-lima
File name:	Attached is the list of the new order.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	635'394 bytes
First seen:	2020-07-06 06:23:56 UTC
Last seen:	2020-07-06 07:45:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d7a6667308868eb5622c328a0adcf08f (3 x FormBook, 1 x RemcosRAT, 1 x Loki)
ssdeep	12288:SyiFoineGN96o8EsQ7/DQY8S0UuY7V9i0Lv6n:SDQGN91r7rt+UuY7VXLv6n
Threatray	5'397 similar samples on MalwareBazaar
TLSH	ACD4AF61F2D24537C1671A3DCC5BA7B8A829BF512E2824475FE53D0C5F39382392ADA3
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: h2816080.stratoserver.net
Sending IP: 85.214.226.43
From: Wissam Abdeen Gevo <gevo@gevomaritime.com>
Subject: Re: Re: new order,
Attachment: Attached is the list of the new order.zip (contains "Attached is the list of the new order.exe")

Intelligence

File Origin

# of uploads :

3

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20789/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2020-07-05 22:20:54 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xyu7tpsltgfhre6cygbms4sambt6v6itgzcijip2qjathvy66vhq._file

Verdict:

malicious

Similar samples:

01563eeff9cd4cb84253c2c9bc40762d118780ab89c6c7b82ce9c9cf0a56a818

017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc

41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab

61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb

86d0178097eebb5010e24650ce79f80f19567ad2872f0f0b7325761a01cf67f5

8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e

91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72

a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044

c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde

e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c

+ 5'387 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware persistence

Link:

https://tria.ge/reports/200706-wcdyacv2px/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Adds Run entry to policy start application

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 5049fa6ca3b2928cd695875eaf85e49b2f0c4d79719346c2b37893e32e5a297b

exe be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f

(this sample)

Dropped by

MD5 cf11c1631f4a4ad254482fa318a77469

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5049fa6ca3b2928cd695875eaf85e49b2f0c4d79719346c2b37893e32e5a297b

Cape

Cape

https://www.capesandbox.com/analysis/20789/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample