MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a3c65874fe1eb6d20f08ff802ffa3cf7ec93cfe500f4440929cd5378a39e2c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	0a3c65874fe1eb6d20f08ff802ffa3cf7ec93cfe500f4440929cd5378a39e2c8
SHA3-384 hash:	a7a4c4c590681d91feaf97c91220bf50e35ca32cb1c88b6deaa40d5929de4bd87a79d9672fcf9d10e3bd32409636116e
SHA1 hash:	f4e9345aeefefe68437c252bd070164f7d0f8d72
MD5 hash:	ec213cb2d2531e6fd906a92078c5e8b6
humanhash:	yankee-early-cup-lake
File name:	MV SKYPOINT-VESSEL PARTICULARS_pdf.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	740'352 bytes
First seen:	2020-07-15 05:19:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e1c1ff870c7f2916086288f794229846 (5 x AgentTesla, 4 x Loki, 2 x FormBook)
ssdeep	12288:xkXOU51w5qnnf9aG3EV+M6qzvXkqYJZYbMMhLxnq4oHO2oPLxJd+VTO0u:6eMbnn7EIqzAT+MM/nIu2oPLxJoTO
Threatray	5'324 similar samples on MalwareBazaar
TLSH	A1F4B062F2E04833D0771A3D9D1B97F8A82AFE41FD189A872BE45C4C9F3974178251A7
Reporter	jarumlus
Tags:	FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25861/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.Herz.B.13070.25735.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Reading critical registry keys

DNS request

Setting browser functions hooks

Possible injection to a system process

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0a3c65874fe1eb6d20f08ff802ffa3cf7ec93cfe500f4440929cd5378a39e2c8/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-14 02:51:23 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bi6glb2p4hvw2ihqr74af75dz57msph6kahuiqesttktpcrz4lea._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f

16c13e9c3a49e89d047f1b589596d24bc332af9d28ea6235aedd930e00b51281

30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921

5a0715de8860e50b6f80a1a1cd245d6133d6b3a15bfce756b46458efd8abd8ab

5ea5c833b683610be48142f34c9f8c98ab8f987b9aee34f1e7ed6d1c8567075f

8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2

8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4

eb638769c780ac51f18d725025755c04acb90936ef9601137bf9fcaab8b47626

f374ef5b2acdbfd1d6b05763372c2b90e4075d1ea25ec9aaac6368bd06826d26

f8257ea6068267793a12ae2a1dfd91384664bee14820c51fd8984031ad3047de

+ 5'314 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

spyware evasion trojan stealer family:formbook persistence

Link:

https://tria.ge/reports/200715-g5yzd7nzea/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Deletes itself

Reads user/profile data of web browsers

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

arj 449a0ab214d9b8cbde34e85c54f60b0029ca29a6bcad1cb273bf7d68f61a928a

exe 0a3c65874fe1eb6d20f08ff802ffa3cf7ec93cfe500f4440929cd5378a39e2c8

(this sample)

Dropped by

MD5 20fb0db209518d96bd315b94d958006b

Dropped by

SHA256 449a0ab214d9b8cbde34e85c54f60b0029ca29a6bcad1cb273bf7d68f61a928a

Dropped by

FormBook

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/25861/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample