MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
FormBook
Vendor detections: 4
| SHA256 hash: | c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde |
|---|---|
| SHA3-384 hash: | e644350e226e1677e63f063487d0c91d971ffd5c38ec1181200ba230ff6d8c2f1c4f7018dd66862faa2cdb31ad745631 |
| SHA1 hash: | 0ad01e9af94cb6ce3247d9b5f09b2655f4b486dc |
| MD5 hash: | 67b1e695bae2dfd1ffe6d1a85141509f |
| humanhash: | pizza-florida-two-bacon |
| File name: | file.exe |
| Download: | download sample |
| Signature | FormBook |
| File size: | 1'247'234 bytes |
| First seen: | 2020-06-25 09:00:20 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 274187873f522793ab32e9ddbc2b6276 (3 x FormBook, 2 x RemcosRAT, 1 x CyberGate) |
| ssdeep | 24576:7yFa3MXDV0cc11BWyxb1ppGIPhECsoxvgiovPoPbg9ao4Tn03r:7yFa3MOxyMb1ppGIPhECsoxvgiovPoPQ |
| Threatray | 5'523 similar samples on MalwareBazaar |
| TLSH | EB45E49F79721F3DF122C139DA193D69C8517913AE170E3D86E12D081EADE4839EB1CA |
| Reporter |  abuse_ch |
| Tags: | exe FormBook geo GRC |
abuse_ch
Malspam distributing FormBook:HELO: server.linux94.papaki.gr
Sending IP: 195.201.245.217
From: Yiannis Agathangelou <orders@thermovent.gr>
Subject: Re: Re: Re: Re: Re: Re: Παραγγελία αγοράς
Attachment: file.zip (contains "file.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Possible injection to a system process
Unauthorized injection to a recently created process
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 5'513 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
spyware persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Reads user/profile data of web browsers
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.