MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc223497fe89e227d0696798ffd12ef6037ee71dfe047483f6a8f1be69bf5754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc223497fe89e227d0696798ffd12ef6037ee71dfe047483f6a8f1be69bf5754
SHA3-384 hash: 21a2fe3f0767f01982d33b7243fbcf99fddd63b12fe8430b048a249c2077dfa993841bad5cec8509566c14b981548629
SHA1 hash: decbd80b7215eef9049542b529986359fea02ff9
MD5 hash: ef3ca842b9c00a0bc3c40cb0c547180e
humanhash: zulu-pizza-mike-shade
File name:Yeni Sifariexe
Download: download sample
Signature FormBook
Create hunting rule
File size:666'624 bytes
First seen:2020-06-09 08:35:01 UTC
Last seen:2020-06-10 09:14:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 79c2c767a803ce5a1d9cb231e7f92fe5 (3 x FormBook)
ssdeep 12288:QsMvEKOq2hhRjWRawDIwoVByJ8ksvcr0/e:QsyErtRjMYBWr
Threatray 5'366 similar samples on MalwareBazaar
TLSH A1E47E33B1E047F3C1662A38BC1B9769B469BD1C6D589C4A6BE43F4C5F3C2907929293
Reporter abuse_ch
Tags:FormBook Yeni Sifariexe


Avatar
abuse_ch
Malspam distributing FormBook:

From: sales4@lss.az
Subject: Re: zəhmət olmasa yeni sifarişi yoxlayın
Attachment: Yeni Sifari.zip (contains "Yeni Sifariexe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 08:36:09 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqrdjf76rhrcpudjm6mp7ujo6ybx5zy57ychja7wvdy342n7k5ka._file
Verdict:
malicious
Similar samples:
01563eeff9cd4cb84253c2c9bc40762d118780ab89c6c7b82ce9c9cf0a56a818
FormBook
017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
FormBook
3c758c3133fb2a7c7c51b2ec84028759bc99e1f3ca3bc22c1046d90f79801f76
FormBook
86d0178097eebb5010e24650ce79f80f19567ad2872f0f0b7325761a01cf67f5
FormBook
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
FormBook
91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72
FormBook
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
FormBook
c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde
FormBook
da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313
FormBook
f4cbb077c89f62bb6542489c882b324e8e2880dc3970e2540e61d1d25fff157a
FormBook
+ 5'356 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-ns7m6eblje/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.joomlas123.info/3nop/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip f81b600bdc6cc3567388b747dcd8125ed1af34d1ea5aa0a8207f3e9ff08ef3c3

FormBook

Executable exe cc223497fe89e227d0696798ffd12ef6037ee71dfe047483f6a8f1be69bf5754

(this sample)

  
Dropped by
MD5 ca3fdc95c72c231742846892c01b9835
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f81b600bdc6cc3567388b747dcd8125ed1af34d1ea5aa0a8207f3e9ff08ef3c3

Comments