MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10d6e6ffa24a33da75382f2268d9450e64513b5265cb81b18190961a73d8f1ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10d6e6ffa24a33da75382f2268d9450e64513b5265cb81b18190961a73d8f1ee
SHA3-384 hash: 830de68bb1bf4d00152e7e55f08fbe40b4c3f578053fa60409c1e10417e8cf0f176247b0d00dceb5464f317982da8e3d
SHA1 hash: 7db7d4d05164bed0ebf4ab53e6c17e5f81c72386
MD5 hash: 47c4850ea77b7973791ca028a48b3eff
humanhash: thirteen-robert-seven-cold
File name:RFQ-proudct list.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:696'320 bytes
First seen:2020-06-30 12:47:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3dbf6c2cd2886e109ef90dcce86638b7 (5 x FormBook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:je7+LHvP79bjBoxHyzKXAzgqGD4tdCIJuxd6Ur5IScz5ISF+gAuA1KzqrRUyqqjK:yq779bjBoAzKXAPC4MYX/ebP2Hcjc
Threatray 5'162 similar samples on MalwareBazaar
TLSH EFE4CF21B3D0953BDD6B1BB48C0F6AA86C267D902E99584F3AF80CCE6B7D361342D153
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: natachi.net
Sending IP: 104.129.0.123
From: Le Phuong Nam <nam@natachi.net>
Subject: Urgent Request for Quotation
Attachment: RFQ-proudct list.z (contains "RFQ-proudct list.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17170/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10d6e6ffa24a33da75382f2268d9450e64513b5265cb81b18190961a73d8f1ee/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 12:49:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdlon75cjiz5u5jyf4rgrwkfbzsfco2smxfydmmbsclbu46y6hxa._file
Verdict:
malicious
Similar samples:
2460c3a92796b5c40abef5471ee446623489b3c1bfb70f1015ab74961d477561
FormBook
3c5ef5423e281a468e9f0381327a9635f20626a98054e769fc08dd4270db01e4
FormBook
5e93b449a80beffbe61f82bfab9042149156227e74efb7e39c95d0044e4a0ab3
FormBook
5f09e9c7496cd8bfbb33147b3fea11791894235021e488eb17dcd582c9dae0b1
FormBook
6002f3f11291a303b7b38c97aa8446ef0b99ecd5aa5ae2aecdda388e97489532
FormBook
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
FormBook
9a4f12beb7153b4365384e8918afda0d14d33bae8fa32ce8be01c4dcbf08529f
FormBook
9d288f2ea49daa4323d1a496c42cbffdfbb148b634345ecc9147265bbdc43491
FormBook
a75706020d8d39c3ad03dafeb71baf8e555cbc0223f656aa9335420264a9773e
FormBook
eb071bd316e6c178749f622d90124be85a871aea6f87b3f6786e302f6e98a6a5
FormBook
+ 5'152 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware evasion trojan
Link:
https://tria.ge/reports/200630-wx3ebl83xa/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z 6080edff90c4b91a9ee0c91e8c8770853d272a1c17f1750a6abb18530f0f067c

FormBook

Executable exe 10d6e6ffa24a33da75382f2268d9450e64513b5265cb81b18190961a73d8f1ee

(this sample)

  
Dropped by
MD5 369adf753c2f8a528c6315ad50300238
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17170/
  
Dropped by
SHA256 6080edff90c4b91a9ee0c91e8c8770853d272a1c17f1750a6abb18530f0f067c

Comments