MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a6ed8b38376300f4f5a104c20726e2d90eb9e1bc26055596617f3ee2a28a350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	1a6ed8b38376300f4f5a104c20726e2d90eb9e1bc26055596617f3ee2a28a350
SHA3-384 hash:	57be9c8fc6ee83c58fd77a144655ab745f07bf8742c9f2139f595323a7421438718261348a261d3036a088512d007b76
SHA1 hash:	0c549a97cbf25e0cfb2cac7d2c9c89daec662835
MD5 hash:	6789fab72271901347517989738c0400
humanhash:	stream-hamper-friend-nitrogen
File name:	uzoraka proizvoda.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	1'135'104 bytes
First seen:	2020-06-23 14:23:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8299f715d855d2a6068b551514417b5d (2 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep	12288:3jDbd29xj+02YMHFpC0cjKdOaQKj7sHkp1OcM+u4ncrpRz+gh:3fR29002pHFpC0cjKdjQKsEnOdL4qz
Threatray	5'117 similar samples on MalwareBazaar
TLSH	23357C22F380C837D0631B758C5FD7A86826BE546E28984B3AE93F0D5FB5351353A297
Reporter	abuse_ch
Tags:	exe FormBook geo HRV

abuse_ch

Malspam distributing FormBook:

From: tomo.hendija@koncar-mk.hr
Subject: Re: Re Re: Re Re: Re Re: Re Dokumentacija za izradu kupola P003215 SK:230-233
Attachment: uzoraka proizvoda.zip (contains "uzoraka proizvoda.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13093/

Detection(s):

SecuriteInfo.com.BScope.Trojan.Downloader.18485.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a6ed8b38376300f4f5a104c20726e2d90eb9e1bc26055596617f3ee2a28a350/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2020-06-23 09:30:07 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=djxnrm4doyya6t22cbgca4tofwioxhq3yjqfkwlgc7z64kriunia._file

Verdict:

malicious

Similar samples:

35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5

45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf

62129dc8193a75313e61a1feb2146bd798ec2c84b12d99aac6560cdb7ee9e309

65463a82bb20ec1f2d53e93c9e51538d55fff2844c746afc36e7a1c43cce36e4

7f261df83598926b168c3515bde5a345dba7828d5bcbdedff5fc55cd16ec23a8

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

9392304274014d5807d5a2271486ea5a72143d7a1214ecc1b59b1626dfc3ba64

c0307fdf9dcf72e69b33cb4327608c3d27bc5a26ce4552a1eae074f2557482dc

d15bb0b2e07a91123300b30b6b7f26774e873a7bbbf677cdfd1a7c9547a1e353

ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153

+ 5'107 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware evasion trojan

Link:

https://tria.ge/reports/200624-4cxdclw1q2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Reads user/profile data of web browsers

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip ba59839a9eb0b905e936f915f15a83c14a1523f3cb726508a774d21d74997c35

exe 1a6ed8b38376300f4f5a104c20726e2d90eb9e1bc26055596617f3ee2a28a350

(this sample)

Dropped by

MD5 f7f2480473d44a70cd0d63890e7e3fe9

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/13093/

Dropped by

SHA256 ba59839a9eb0b905e936f915f15a83c14a1523f3cb726508a774d21d74997c35

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample