MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce9bdfd831d37587b45359be190dbdc86a1ce30b2455dca7365f0d501e42005b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce9bdfd831d37587b45359be190dbdc86a1ce30b2455dca7365f0d501e42005b
SHA3-384 hash: 99421d004f5efd718d88011d06f50b2dc272cc8f58ec466fe12009309bf998d62c7609f704bc78734af9bcab4a0dcd62
SHA1 hash: b21fc31254f9e41354c82e2f51553d3bd8e035f5
MD5 hash: b945c4653d7ffe738d401772e5a97fd0
humanhash: fanta-idaho-mountain-diet
File name:Nronxna.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:621'568 bytes
First seen:2020-06-23 15:01:45 UTC
Last seen:2020-06-23 16:05:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 37ec15e12a6a58142524cbf63ac13fd6 (6 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:pARldIm597ql0ynjNHEJRXZdL38YN2qX7qWWWy/z:aXHql9njNHE5Z3PN2Ey/z
Threatray 6'397 similar samples on MalwareBazaar
TLSH ACD4AF33F2C08876C57E29B9AD0F45E5951ABE757E18688A3BCC1E4C4FBD2913C29193
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: gproxy4-pub.mail.unifiedlayer.com
Sending IP: 69.89.23.142
From: sales@softtissuepaper.com
Subject: PURCHASE ORDER
Attachment: PO585854.rar (contains "Nronxna.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13159/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce9bdfd831d37587b45359be190dbdc86a1ce30b2455dca7365f0d501e42005b/
Threat name:
Win32.Trojan.Remcosrat
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 15:03:03 UTC
AV detection:
24 of 30 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2n57wbr2n2ypnctlg7bsdn5zbvbzyylerk5zjzwl4gvahscabnq._file
Verdict:
malicious
Similar samples:
0f0a50b4e9567820ac98a97c53d004d7c92b2c8df4ff4feb67753622b1d26b3a
FormBook
0f24e222f76b19a0f1995c70e3711ab2b1c7e3f41c5e915796e767fce361e2e3
FormBook
1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0
FormBook
484ff6267219f9eb4794c1f20aaa9562a459e0d1a787743592b1532eda3be541
FormBook
496b39b696da8c81b7f0d57b3b591a9c948bf88d8ba375618703edcb18f4c27d
FormBook
b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3
FormBook
c158b8ed8c9a0221bfeb3dea8d026d5bb9bade9ecfd19191ada59c51c8eb4089
FormBook
c94fe7b646b681ac85756b4ce7f85f4745a7b505f1a2215ba8b58375238bad10
FormBook
e1f3874c42cdd4e2c49477d7b2bc3ebd3bcd4e3a2cf882fa4d1ea09546c74f5d
FormBook
f34f4e3d8e9c1ec1d066d75d07f3d93c70931d6a54d736dc12f83b8277db2557
FormBook
+ 6'387 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-72kmjqnf4e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

84066234e8e1e11986e054999405fd94

FormBook

Executable exe ce9bdfd831d37587b45359be190dbdc86a1ce30b2455dca7365f0d501e42005b

(this sample)

  
Dropped by
MD5 84066234e8e1e11986e054999405fd94
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13159/

Comments