MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebc834f47e93a0d4956fa6df736e7aca512df3f88d04d73d2ab8c469a28ad02a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	ebc834f47e93a0d4956fa6df736e7aca512df3f88d04d73d2ab8c469a28ad02a
SHA3-384 hash:	546c6008c36de7cfec2f00d74789266cae6cc9fa0dc17dfd69fa8749476bc90ba915e4f84e44023606dbbcdfab730148
SHA1 hash:	ce98c60f511013e8f83770560d0cdf4c2cdcb030
MD5 hash:	4468db744c417123bad8646bc7b25d4f
humanhash:	lion-cup-berlin-victor
File name:	Pictures.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	985'600 bytes
First seen:	2020-06-28 07:36:55 UTC
Last seen:	2020-06-28 08:44:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	36c59039a5d2277d95faf77e2b67cda1 (3 x FormBook)
ssdeep	24576:mCcVhdV/AQxyzse6pqGWDO9xaAKWauiVre493ej:ADhqW/P4xQ
Threatray	5'141 similar samples on MalwareBazaar
TLSH	9625A162F3414937D5331B7C4C2B63986926BE112E2C58466FF89E4C6F3A7417C2A2E7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: slot0.navigosgroups.com
Sending IP: 45.95.169.34
From: Nicole Gapes<info@navigosgroups.com>
Reply-To: gapes.nicole@yahoo.com
Subject: Property Purchase & Leasing
Attachment: Pictures.img (contains "Pictures.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/15162/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ebc834f47e93a0d4956fa6df736e7aca512df3f88d04d73d2ab8c469a28ad02a/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-06-28 00:31:53 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5pedj5d6soqnjflpu3pxg3t2zjis347yrucnopjkxdcgtiuk2ava._file

Verdict:

malicious

Similar samples:

03cba0b3813108ec932306f5aaa9d152603a834b9caf3c601722a9cda41ca194

0df0a487b38b5d9bdbc8e2c05ba4c639dfe09969f5f68c85da43b46c16a48f6b

0e7ec69a6222b2753c0167997838b380acfd47834a6d1e7dd2475fd4fe07d63c

18dc7ad4fd5ffd0ec8b8f12884b41f3ace4e2ba95f704175ebf0a0eead74ba36

1f6b6d481b672f8ed428a044ebffa9e16424317c0081aad3c00cb61a547b90b5

560c76df97fdc5816fa9310921082a04b44b781e60bc77f84b970df04a36d1f4

9ea46ecef461a6c32eecb69c666d239fc9752daba6c1190b0b04d53909c7d842

b04cf62e1182fdae7ca1805ccc467ccd6d9a0db1a3a7419a9d6a2b5e41419d06

cac635b83d0ee884f8d8bbce419b4c9d13273f4a10c450c2ea50830dc683e3ac

ea12fb909266d6a6f7315c8ffe0fcedb6b63ba660cd91e7c2ac4e6db14596171

+ 5'131 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware persistence evasion trojan

Link:

https://tria.ge/reports/200628-nv7tvalexs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Drops file in Program Files directory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Adds Run entry to start application

Reads user/profile data of web browsers

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img b913477c3cca0dac38f2204a3de4e9320758da8d0f250661f90faff93dbfc2af

exe ebc834f47e93a0d4956fa6df736e7aca512df3f88d04d73d2ab8c469a28ad02a

(this sample)

Dropped by

MD5 37276a7ba49b80ddb4de294fce0036ea

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/15162/

Dropped by

SHA256 b913477c3cca0dac38f2204a3de4e9320758da8d0f250661f90faff93dbfc2af

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample