MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceee0c8772c6b5a2cff7d9f3bc824c088f3c7d034b9898c74f79e11b59210257. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceee0c8772c6b5a2cff7d9f3bc824c088f3c7d034b9898c74f79e11b59210257
SHA3-384 hash: 4771bf03ee966d605e9b1bf580f739f090b325f66f341e41bfec98bd5a1e13c5f8a5618461507efd59501f291a76ec65
SHA1 hash: 3e2e546204e71e75594c8b0430e4a3d4e535f20a
MD5 hash: cc5e1a729a686d7ba8abe1dc8f00326c
humanhash: arizona-item-failed-triple
File name:Alfa Laval Aalborg AS Statement of Account_xlxs.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:756'224 bytes
First seen:2020-07-21 07:50:24 UTC
Last seen:2020-07-24 10:23:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d8412990f74f880a4a63b66fdb523827 (11 x AgentTesla, 8 x Loki, 5 x FormBook)
ssdeep 12288:CZnGUxq0RwFvcGHq8TxFsb4mOKKEzem/nfw0AUE3vFrnb5g9YN:0GuqtFvm8TxmZlzfffw0ZEFb5
Threatray 5'342 similar samples on MalwareBazaar
TLSH 4FF4AF66F2D00837C16B2B3F9C1B97A4A929BF5D2A28994727F41CCC5F397813839197
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: apple.itnti.net
Sending IP: 217.174.251.133
From: Technava SA - Lina Velli <l.velli@technava.gr>
Reply-To: I.velli@technava.gr
Subject: Alfa Laval Aalborg AS Statement of Account
Attachment: Alfa Laval Aalborg AS Statement of Account_xlxs.xz (contains "Alfa Laval Aalborg AS Statement of Account_xlxs.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29851/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Setting browser functions hooks
Creating a window
Unauthorized injection to a recently created process
Launching a process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392835
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ceee0c8772c6b5a2cff7d9f3bc824c088f3c7d034b9898c74f79e11b59210257/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 06:39:39 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3xazb3sy222ft7x3hz3zasmbchty7idjomjrr2pphqrwwjbajlq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
062778fce91ba3c9ecc4b3cc3cb5b4e3f41846699307fe2da8295c3b3da0339d
FormBook
4ad5c25440866b278662c4410e30147f8d0dc94c7c4024d56955174ed608d3a9
FormBook
6e2a6ffd8aa7c33dca7aa63dd89a4b30b4bcb78d4a31db6d03d1f2434cf94e23
FormBook
7af08bbd907a68770548426050115d6b0aeba599e0c3bd03c03f5ef8268ceb11
FormBook
a35d69993515cae4a630d53eed0c26a8bb5c9026db01caba7b4e8a07075d209a
FormBook
a9f95f4853acbd95142dba6914c2c87ad89d1c1db87ae6ea95ada23d63635c9d
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
c9f7661a1a814820db663d5a916abd38a6c824429542e8b833c9a4e67974ac80
FormBook
d4f92eedf4a8eb72f4825a974b88d094fe8ec8604d18735602536060e65a471b
FormBook
f4f6a523d411d3407372f81a18fe32a078e36c3715cf3b88f60fe05e6eb37fba
FormBook
+ 5'332 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200721-7as4k67k5x/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ceee0c8772c6b5a2cff7d9f3bc824c088f3c7d034b9898c74f79e11b59210257

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

xz 1776c444d5cb867862fd71c5db0d2745016c6a9d8f588340e6395fd4c1fb9353

FormBook

Executable exe ceee0c8772c6b5a2cff7d9f3bc824c088f3c7d034b9898c74f79e11b59210257

(this sample)

  
Dropped by
MD5 000091fe6c6f3a2c7e6f59bb5f790d2f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29851/
  
Dropped by
SHA256 1776c444d5cb867862fd71c5db0d2745016c6a9d8f588340e6395fd4c1fb9353

Comments