MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dda2e0d9e1057b0dd8c64979c045e2909236d3ba0669f490b077547aa0f75827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	dda2e0d9e1057b0dd8c64979c045e2909236d3ba0669f490b077547aa0f75827
SHA3-384 hash:	86bf5e44c193aa5803b0eb08c0c88ff47b964fadfab1366ca5dfa8b80ece6806253fa546d181b1f42ebdb270b6ddc5f3
SHA1 hash:	d13adb01d5df20d1d253596e5581b121db1238ff
MD5 hash:	b81531d325c0adfe37c48076a0c75e48
humanhash:	steak-tango-single-september
File name:	Mqrkjnc.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	932'352 bytes
First seen:	2020-06-29 12:30:11 UTC
Last seen:	2020-06-29 14:14:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8bf0b8175bc71f48d381c3afeae44e55 (3 x FormBook, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep	12288:AmXqeinhqmSqxnDqnsQi8oMr8gRZAMrK+g7xBpCIJuxd6Ur5IScz5ISF+gAuA1K9:AoAjSqxusBdq7rkqYX/ebPx+E7eoD
Threatray	5'310 similar samples on MalwareBazaar
TLSH	7C15AE22F3D01037DD7326B89D5FAA6959267E802E69A84A2BF43DCA5F3D3517C1D083
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: mail.hotspotzavar.sk
Sending IP: 185.98.208.2
From: Mumtaz Ahmed<test@hotspotzavar.sk>
Reply-To: <Elandapos_Eric@163.com>
Subject: Re: Order Confirmation
Attachment: Mqrkjnc.rar (contains "Mqrkjnc.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

77

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/16270/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dda2e0d9e1057b0dd8c64979c045e2909236d3ba0669f490b077547aa0f75827/

Threat name:

Win32.Infostealer.BestaFera

Status:

Malicious

First seen:

2020-06-29 12:32:06 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3wrobwpbav5q3wggjf44arpcscjdnu52azu7jefqo5khvihxlatq._file

Verdict:

malicious

Similar samples:

0d271903774ae9467d80cad6fcaec4d2ea4653b8eb4c28e0a1c7dbe0849ccd01

1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455

40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

8fa8f67945e7ad85b3afc20abed666c8c69e9b0e592b9002c5bb78438d093d3e

9519395df08cc1e952c5d7bd57b705f105dcbe6a59a09f4ae6163873cd75c9bb

a93544715a31933d1ac1584d3a28bc7121872569baa1e3a7ecfed06f2d65031c

aea480ebd5777e840f0b988267554fe1d35f70238bed009231b24475fdc0b0d9

be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f

df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e

+ 5'300 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware evasion trojan

Link:

https://tria.ge/reports/200629-ssj6qc6pbn/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar a32c7844a85667f80575a05c422034340f08d167fe5962b0ec9e6d268b1b7451

exe dda2e0d9e1057b0dd8c64979c045e2909236d3ba0669f490b077547aa0f75827

(this sample)

Dropped by

MD5 b20493fecc1eba05003333b66aba391b

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 a32c7844a85667f80575a05c422034340f08d167fe5962b0ec9e6d268b1b7451

Cape

Cape

https://www.capesandbox.com/analysis/16270/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample