MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ceb6064faccd6e14f29b29580731e0239928c13f5ee8d942fa743530b2ed73b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ceb6064faccd6e14f29b29580731e0239928c13f5ee8d942fa743530b2ed73b
SHA3-384 hash: db1bdd67fa3feab22c7e96b360bfe7326243ff7b07a9a66d37e795893e6d15569c0923d2004b19a5802fd716442ec9b8
SHA1 hash: 238a4a841729dfbba4780e1df7fe3fb4bc259573
MD5 hash: 2831f8bac75877f1958599dc9fdb3e55
humanhash: spring-pennsylvania-early-fruit
File name:2831f8bac75877f1958599dc9fdb3e55.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'067'176 bytes
First seen:2020-07-21 10:01:40 UTC
Last seen:2020-07-21 11:24:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e381c455fbb563ca5f2237e8dff94bd (4 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 24576:C0vtfbdNzTnlj/jllmyXaybwEIVKGfHNBJV2jjFP0Mt:C0v9f/axEIVRfHfJV2nFP0M
Threatray 5'492 similar samples on MalwareBazaar
TLSH 5D35AF23F2A08D32D1331538DC535ABC9A6EBF153625984D6AE6DF0C8F3918179393A7
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30044/
Detection(s):
SecuriteInfo.com.Gen.NN.ZelphiF.34136.bHY@aeraMNpi.962.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392996
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248864 Sample: kPvuaTrhbP.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 51 www.wp011.com 2->51 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 6 other signatures 2->65 11 kPvuaTrhbP.exe 1 3 2->11         started        signatures3 process4 dnsIp5 57 speedfinance-cloud.gleeze.com 185.241.194.58, 49720, 49725, 49727 NETALISFR Russian Federation 11->57 47 C:\Users\user\AppData\Local\...\fmiafck.exe, PE32 11->47 dropped 15 ieinstal.exe 11->15         started        file6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Queues an APC in another process (thread injection) 15->79 18 explorer.exe 7 15->18 injected process9 process10 20 ipconfig.exe 19 18->20         started        24 mshta.exe 19 18->24         started        26 mshta.exe 19 18->26         started        28 3 other processes 18->28 file11 41 C:\Users\user\AppData\...4160logrv.ini, data 20->41 dropped 43 C:\Users\user\AppData\...4360logri.ini, data 20->43 dropped 45 C:\Users\user\AppData\...4560logrf.ini, data 20->45 dropped 67 Detected FormBook malware 20->67 69 Tries to steal Mail credentials (via file access) 20->69 71 Tries to harvest and steal browser information (history, passwords, etc) 20->71 73 3 other signatures 20->73 30 cmd.exe 2 20->30         started        34 fmiafck.exe 24->34         started        37 fmiafck.exe 26->37         started        signatures12 process13 dnsIp14 49 C:\Users\user\AppData\Local\Temp\DB1, SQLite 30->49 dropped 81 Tries to harvest and steal browser information (history, passwords, etc) 30->81 39 conhost.exe 30->39         started        53 speedfinance-cloud.gleeze.com 34->53 83 Multi AV Scanner detection for dropped file 34->83 85 Machine Learning detection for dropped file 34->85 55 speedfinance-cloud.gleeze.com 37->55 file15 signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3ceb6064faccd6e14f29b29580731e0239928c13f5ee8d942fa743530b2ed73b/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 10:03:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=htvwazh2ztloctzjwkkya4y6ai4zfdat6xxi3fbpu5bvgczo245q._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
11c42a22bd49e9f723718ff607d073bfd3d47afd70ce7152b7329bff2013366c
Formbook
58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a
Formbook
6afac1117b8398317f5eb5f8c66ce52c0fcf2e438a0d40743a584eedd17ac260
Formbook
7d76b11ffd54f1f7f61dae2d07689f986a40a6bcf79e2606610f77a5c7bb20de
Formbook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
Formbook
8969c43b9a620f08efca63187be703ec6655dfaa6168956a428ce2821ff67654
Formbook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
Formbook
ab4583eefcd41b355fe38fcabdfe18450722b162f7b9e8e9ba346040355f4126
Formbook
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
Formbook
e98e20e7f6ca6411a6da4193276bd5e1a58602f761f2d3b33281e88dd411d9c7
Formbook
+ 5'482 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200721-gcq1y472ca/
Behaviour
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ceb6064faccd6e14f29b29580731e0239928c13f5ee8d942fa743530b2ed73b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3ceb6064faccd6e14f29b29580731e0239928c13f5ee8d942fa743530b2ed73b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/415176/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/30044/

Comments