MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bde8d605b2ce54ea697cab8be4daff0c2349322b42a96c8a9237ac7eff35314. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	2bde8d605b2ce54ea697cab8be4daff0c2349322b42a96c8a9237ac7eff35314
SHA3-384 hash:	64397f2c77cf2ec661ec4c6e61adb40041c7b748fc380c97a33cf694c96ea579485ef478d0cc530a851b8ba23af4bb19
SHA1 hash:	f32bd69bd927e98f13cd6168d2cd75b93bb1c27e
MD5 hash:	b9acbd74ef64764ea09a0f21eb887ba2
humanhash:	shade-violet-may-juliet
File name:	Commercial Invoice.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	828'416 bytes
First seen:	2020-08-18 06:20:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	639357242ed279ceaa4726408d2cc6d5 (10 x AgentTesla, 4 x Formbook, 3 x MassLogger)
ssdeep	12288:6HlYcrKanXHzeEjMx6p4ddVvjUip3GKfm8LonsMaKU+A5T3n9L8:6F7OuHzkK4d7403c8Un5aKU118
Threatray	2'242 similar samples on MalwareBazaar
TLSH	C3059E23B1E14837D1B22A7C5C1F72A8983ABE1039FC59477BE44C4C9F3A6913965E87
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing unidentified malware:

HELO: kleancuts.ml
Sending IP: 192.236.154.210
From: ''info@kleancuts.ml" <info@kleancuts.ml>
Reply-To: milsfrankblaze@gmail.com
Subject: Order 8203 || Commercial Invoice
Attachment: Commercial Invoice.arj (contains "Commercial Invoice.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/47511/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.BScope.Trojan.Crypt.5088.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Launching a process

Launching cmd.exe command interpreter

Modifying a system executable file

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/2bde8d605b2ce54ea697cab8be4daff0c2349322b42a96c8a9237ac7eff35314/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-17 12:01:11 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fppi2yc3ftsu5juxzk4l4tnp6dbdjezcwqvjnsfjen5mp37tkmka._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

0725fa234dd7f9bdcbcd0eef96c79017200f5c27676e4126a00c6d33e6601a5a

10f6a34d918459a9141dc00f36bb2587a0249d2c0bf67c97a9691f4a33c7d3d1

43a2a98bb50daedc36c6f08ab5698638de59f80ad30f9754b8ff690d90c088f3

57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388

6d0c9ea95d779737b7e9ea2a838a0efede90f1d3c6ce91943e65067a82631b81

9256cc7129421443ba770b55f01042e58fa5af856df1db31e830f147213c2a1c

d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba

faf1dca0b043816dc1a448c778e8fc03030add15983e04a7cc39851297615c4f

+ 2'232 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat persistence spyware trojan stealer family:formbook

Link:

https://tria.ge/reports/200818-9lfrjp211a/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.regulars5.com/evcy/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

arj 5ef9cd57b76458d3295f29f89300c1635d60de142c5a5fd71d53c8a9e5d74a59

exe 2bde8d605b2ce54ea697cab8be4daff0c2349322b42a96c8a9237ac7eff35314

(this sample)

Dropped by

MD5 114b75e47967fd35a8538fb1550c9531

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/47511/

Dropped by

SHA256 5ef9cd57b76458d3295f29f89300c1635d60de142c5a5fd71d53c8a9e5d74a59

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample