MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e65953c2d6e33c5da860ceac22ef685533e9b43bb3986e8e136eec82a5f5e547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e65953c2d6e33c5da860ceac22ef685533e9b43bb3986e8e136eec82a5f5e547
SHA3-384 hash: 713b56c40bc9075224c6e56851b10b7c2d1a75c83cdf38b295e16c0b5d9bcb18af10f572b511871ff7c5ab19bf7d6f0c
SHA1 hash: 026ebd95292a57fda153f1b14ea96a8061b0e005
MD5 hash: b7aa69fa4ade89343880733f95f98efa
humanhash: lion-harry-north-triple
File name:PHGT-ATTACHED_LIST#1506202078473.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'259'520 bytes
First seen:2020-06-15 12:10:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 134a427d8e11e30f2e4389847cf6bf3c (3 x FormBook, 2 x NetWire, 1 x RemcosRAT)
ssdeep 24576:MBlDgE7EmXWAqSvg439vGSVNe1/hqIiHmwd7:M7DlC+GSjiBiGI
Threatray 97 similar samples on MalwareBazaar
TLSH AA456C32B2A1C433D5631A7CDC5B92FC9826BE10A92859877BF53D4CBF39741342A1A7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: ricomax.com
Sending IP: 104.129.0.106
From: Ricomax (HK) Ltd <info@ricomax.com>
Subject: Ricomax (HK) Ltd - SUPPLY INQUIRY
Attachment: PHGT-ATTACHED_LIST1506202078473.z (contains "PHGT-ATTACHED_LIST#1506202078473.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10348/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.Backdoor.Win32.Bifrose.1593.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 12:12:07 UTC
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zmvhqww4m6f3kdaz2wcf33ikuz6tnb3womg5dqtn3wifjpv4vdq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
FormBook
178d42beb97c29b2c1e2ee08ac527d454e234c183ef03a29c357856443f9191b
FormBook
23808af89fdb7af9f2b747f6a339122177e7abc79136a411f24831cf329606b2
FormBook
2e5d08e10497cdd14499b4ae823f7d639a738d37784882db758e70fa3804e4e9
FormBook
862b45e2c98a175f625797db1d3342e0d9dc35b79e3386deb42c06b1918867d9
FormBook
8aa7a5eb1247b0d54b2bd29dd6b2d563ca30da4990c8220f61da826fe5941452
FormBook
939863edcaf7c655fb6e3020bdfe5138bf6e61faa3d3b037f113216ccc1be55a
FormBook
a7b2c2dfcb01c3c3b3dc945f3b8d1c907a4de8aba291241466a9da4c69492a29
FormBook
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
FormBook
f67653642f6bf485f584df4fbd546966e16fe413a2d152014dac2b586a656397
FormBook
+ 87 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader
Link:
https://tria.ge/reports/201109-4cw8hdz88s/
Behaviour
Suspicious use of WriteProcessMemory
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 689a8442fed5bf172d9d207314977bf77fb799659de23965bdcbf47e6ac77a12

FormBook

Executable exe e65953c2d6e33c5da860ceac22ef685533e9b43bb3986e8e136eec82a5f5e547

(this sample)

  
Dropped by
MD5 850fffedec571c7879caebe7fef1a2ca
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 689a8442fed5bf172d9d207314977bf77fb799659de23965bdcbf47e6ac77a12
Cape
Cape
https://www.capesandbox.com/analysis/10348/

Comments