MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca2474c82643817c50106479f991ae282b9bb24fde98721dc5f99fe9a5eb3300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	ca2474c82643817c50106479f991ae282b9bb24fde98721dc5f99fe9a5eb3300
SHA3-384 hash:	30496d79b4727be4fbf837d2bcb472cdb1b533181d823f2c2d6d6d5fa8baefe59e65b7f5e98ceedba1db3fc500c7ed93
SHA1 hash:	8e2cb2687357567045584ed5cb36c11cc928f4a4
MD5 hash:	65e707bd6d53922eed2f27b35bd5355a
humanhash:	skylark-princess-indigo-earth
File name:	R220917549.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	945'664 bytes
First seen:	2020-07-13 11:20:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dada6f26441f1a1d2f2cf25a83bd8107 (16 x AgentTesla, 6 x MassLogger, 3 x FormBook)
ssdeep	24576:PM092htZ8qtYs5T287WqASEGMMg012C8b:PLrqtYRtGMMT12
Threatray	5'264 similar samples on MalwareBazaar
TLSH	B5159E26F2D18433C1722A3C8D5B9764AD26FE007E28AD476BF95C4C5F3968178392E7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: h3.datagix.com
Sending IP: 82.196.25.97
From: Info - S.M.A. Srl <info@sma.sm>
Reply-To: Info - S.M.A. Srl <fayza.hmidi.artlab@gmail.com>
Subject: ORDINE
Attachment: Doc13072020.zip (contains "R220917549.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25220/

Detection(s):

SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Reading critical registry keys

DNS request

Setting browser functions hooks

Possible injection to a system process

Stealing user critical data

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca2474c82643817c50106479f991ae282b9bb24fde98721dc5f99fe9a5eb3300/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-13 11:21:05 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zishjsbgioaxyuaqmr47tenofavzxmsp32mhehof7gp6tjplgmaa._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e

5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6

67586cd711a0de6176d2df1bde9bf36f024f893328ae9c447bdf5e636e99502b

83a9482f5fb2807da38f62dce5a40bdf154d2c26f7a3080982efa30491bb66c4

98090f606cda48999384c614b1f92bb9d0e5f1541b86d8d62bf1e6639633a271

b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893

cd1a9b8d7f8d830bcb13548fdd9f02a7fae07b7c49fd12bd1a7e02ed346bc010

ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645

e6ec516f652708d86ea17dfa8a860550a6be97d1d2c886d67c5bc1e2ad5a2ccd

f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c

+ 5'254 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200713-q5fdbwvy7n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

Deletes itself

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Adds Run entry to policy start application

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 3c02bb7b44aed296562d9cd1b8a999438ebe46129a9a9eed79dc6e86a1581048

exe ca2474c82643817c50106479f991ae282b9bb24fde98721dc5f99fe9a5eb3300

(this sample)

Dropped by

MD5 44255c749cdfe1ab1d9a0c7a8d7826e6

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3c02bb7b44aed296562d9cd1b8a999438ebe46129a9a9eed79dc6e86a1581048

Cape

Cape

https://www.capesandbox.com/analysis/25220/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample