MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 376fb6ea6472377b19e40fe92be6e5324665d57662993e5d8e87c9ebad993b53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	376fb6ea6472377b19e40fe92be6e5324665d57662993e5d8e87c9ebad993b53
SHA3-384 hash:	9ddb1200fd7f0af1c8386ae0c4958e6ef75e4032ea74229145c28ff6fdc024d66a8fd8a94a1767feaf816119262a3e85
SHA1 hash:	609404805d1f2ece47b98aac20cf71ed9e311e59
MD5 hash:	bf1237f5daea71da01bf006b3c0a61af
humanhash:	hot-alabama-blue-lemon
File name:	7by54.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	103'936 bytes
First seen:	2020-07-21 19:14:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:ZAXHQI+xKkd19A7G5WEI5sOfyehhiav5pClKoY45RQNcg:ZknBk7HWntnoKE5RQNT
Threatray	5'106 similar samples on MalwareBazaar
TLSH	90A3566A87A15F1AE5BB83396CC6102807FDA51FE796C2377EB403C142F1BF51A3524A
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/30387/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader33.63211.26735.31797.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the %temp% directory

Deleting a recently created file

Launching a process

Changing a file

Creating a file

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/393727

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/376fb6ea6472377b19e40fe92be6e5324665d57662993e5d8e87c9ebad993b53/

Threat name:

ByteCode-MSIL.Trojan.Scrami

Status:

Malicious

First seen:

2020-07-21 10:56:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

3

AV detection:

33 of 48 (68.75%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g5x3n2teoi3xwgpeb7usxzxfgjdglvlwmkmt4xmoq7e6xlmzhnjq._file

Verdict:

malicious

Similar samples:

12b43ed89fe65ad92c68c63b0dffa2d821ef5d1e506762f9a1c281ca624fd964

3c15d1bb32d82a136a76d6e8867506dc2cc12cc183ed5a5c79335cb569e7d52c

5258ca686922497380fdc5c7b379d805c914ba774ad6d6dc5b0455e5ecd8414c

5477643235b833aa541ecdc02ee302b141a306c8ab01b08341341f4a2fb20341

55fda8fe5169419bcbdfa68e712b378085ddd86638e0f84e50e6b6f43cf19334

8dceaa57045b4d03ea1f58bb2c82c4d4887dd74ca78bc114c1bc7bdf937e680d

8f9fcdd00e43b8845139ba38f9d4f164e526736578eab199e7f7af5d8179f01c

b0ae66cd2296539cdeb9f833ff7ebc3616cda6d8068d1883e27a04c9240d0d3f

c8cef19967cb820d5e92f85a17ebf98f631de62c9760b1eb1a790cb25961e356

e257a0a26f932ddedd2134e0a56eadc8c19d03049c7c6d9b7d3ca93720106b91

+ 5'096 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200721-jmhcty8z8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Reads user/profile data of web browsers

Blacklisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/30387/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample