MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313
SHA3-384 hash: 2d4edfa175b07f008817eac9c24dddd3f54b61b5a4c21cad73feedb01bc4ab2b3ea91832c34e6785d9a0655162ed1e7a
SHA1 hash: 2dfc0be7d26bce4bbd6dd3a930e3664e76de9ce7
MD5 hash: 18dd5c3906f514d194b4e00e338e2a44
humanhash: ohio-hamper-mobile-seventeen
File name:Attached is list of our purchase order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'041'920 bytes
First seen:2020-06-29 08:58:33 UTC
Last seen:2020-06-29 10:10:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d0e79988ecb959886127ac7817e5abe (3 x FormBook)
ssdeep 12288:nLmPCfh8bqyp4hVV8E2KnYJuhEFNznsjgieOVEjvSnyDnAtrlktQB2eBoc:nLpfNN8EeHTzbnLmxlkWB2M
Threatray 5'440 similar samples on MalwareBazaar
TLSH 90259D23B3916C3ED13326789C5F46E45A26BF002B28A64A27E53D7D5F3AF5138991C3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.linux94.papaki.gr
Sending IP: 195.201.245.217
From: Nissos Kivittis <nissos.k@bwl.com.cy>
Subject: Re: Re: Re: Re: Order
Attachment: Attached is list of our purchase order.zip (contains "Attached is list of our purchase order.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16077/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313/
Threat name:
Win32.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 09:00:14 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3jr6rozwk5ggkxl5gbsxjl54jjtts2ysz6cvhmiutyfmqvqnymjq._file
Verdict:
malicious
Similar samples:
01563eeff9cd4cb84253c2c9bc40762d118780ab89c6c7b82ce9c9cf0a56a818
FormBook
017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
FormBook
2ee68069c79304ab2bc383e02c7d9f07ecdc9f91e9680afe381c72715225a89e
FormBook
86d0178097eebb5010e24650ce79f80f19567ad2872f0f0b7325761a01cf67f5
FormBook
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
FormBook
91ff383b66f03166257bbf629acfab862c2269e04b76bc49714520a5709e5e72
FormBook
ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3
FormBook
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
FormBook
c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde
FormBook
f4cbb077c89f62bb6542489c882b324e8e2880dc3970e2540e61d1d25fff157a
FormBook
+ 5'430 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware evasion trojan
Link:
https://tria.ge/reports/200629-fj9h8tsa4j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip b6e5beb3b5ecd6117c5dc8dcd0223fc8465fcaac35222a0301d0bb9a5546cb6a

FormBook

Executable exe da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313

(this sample)

  
Dropped by
MD5 a3841b22060407a52e5127c0a0120574
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/16077/
  
Dropped by
SHA256 b6e5beb3b5ecd6117c5dc8dcd0223fc8465fcaac35222a0301d0bb9a5546cb6a

Comments