MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1da4b468d73fc42a66997489158157db646e310bea0488cb64720dab5d5b6ba6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1da4b468d73fc42a66997489158157db646e310bea0488cb64720dab5d5b6ba6
SHA3-384 hash: 54dd4e59a6095ee8a515fce1d72b8903d0209487fb6acb689409fb4d1be40e66aba9cbf3b993b569b69096d895fd3059
SHA1 hash: 24e60f695ee4c1ef1e29bbd3949d499f00ba72b0
MD5 hash: 4f45dff404b2cbac8a516de960d5c3f3
humanhash: india-bravo-nitrogen-lithium
File name:RFx-20-QAI-PRJ-0051-SP&P.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:760'832 bytes
First seen:2020-06-18 09:40:05 UTC
Last seen:2020-06-18 11:00:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 90117697cc8be5d6ed7c153e6a15a30e (8 x AgentTesla, 3 x NanoCore, 2 x Loki)
ssdeep 12288:SzvyFcE4IMkvtlLnUHRyC0ZQXO7dEkPopRfnb8uKHEq8SeoGN3rwX1ukU:4GcUvtGoC02Ohz45nb8uKH1sDwXok
Threatray 5'230 similar samples on MalwareBazaar
TLSH C1F49D27E2E05433C1671E398F5B9774AD2DBE102D68A9466BF4FD4C9F392813836293
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: spfilter-4.mschosting.com
Sending IP: 110.4.43.244
From: Norliya Binti Nayan <norliyanayan@dialogasia.com>
Reply-To: norliyanyan@dialogasia.com
Subject: RFQ-344-007920
Attachment: RFx-20-QAI-PRJ-0051-SPP.arj (contains "RFx-20-QAI-PRJ-0051-SP&P.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19731/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwsli2gxh7ccuzuzoserlakx3nsg4mil5icirs3eoig2wxk3nota._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
FormBook
18bd5c2848991602d7bc3373a890286cbb2babcb9f272779e8e8d38568064c05
FormBook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
FormBook
565eb959d96fa0af1735a761aa0b87de4bcb887e80d3802e9cf92efe7bd2b554
FormBook
79aeb20e06ed62c3986034328cd3a6a5e08eb617cba4af679112640f786497da
FormBook
b00ebd12d239ba9f75f11b3ad96b127730779e48f3e2fead50c9e5a7b7ca598a
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
fbf0680165efb20121f2cc3292421424ce7f8766b603579c1f7e9dfeee773ad3
FormBook
+ 5'220 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200624-5nkgbpzegs/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f284c6eeb0fab462cdf5c5c1b1aa793c

FormBook

Executable exe 1da4b468d73fc42a66997489158157db646e310bea0488cb64720dab5d5b6ba6

(this sample)

  
Dropped by
MD5 f284c6eeb0fab462cdf5c5c1b1aa793c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19731/

Comments