MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ea2f3bcf61af074cf7b6f6b566c95bef78126999cf79a5c6b67e0df9c0b28bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ea2f3bcf61af074cf7b6f6b566c95bef78126999cf79a5c6b67e0df9c0b28bf
SHA3-384 hash: abe3c3408fbcbab9188f8ac067ea3a44e078aa65c4db856a92c01b02edf4141dc8d9ddb8c5878719bf099e855bfb142a
SHA1 hash: a579a41953641b1acf2595e77fa0ef1a02b53cd4
MD5 hash: ce7125b39cc91b03f238f3da281e6cce
humanhash: snake-october-indigo-diet
File name:552020 Scan pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:110'592 bytes
First seen:2020-05-05 13:31:35 UTC
Last seen:2020-05-05 14:52:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd3152519c69eedcdb831aeaf776d7c0 (1 x GuLoader, 1 x FormBook)
ssdeep 1536:D1yRXaviXmJe6h1J9ZuDhLuxS5IeekJ8PCHAU60f:UR2DJ9ZuDhLuxZGJsCp60f
Threatray 71 similar samples on MalwareBazaar
TLSH 1AB320405AE5FC1AE8A93AF1D765F09DC7806D35A871722BAAC1714F1F389809F3076B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: api.plumservicecenter.host
Sending IP: 162.246.21.5
From: Plukon (Sales Deparment) <no-reply@plumservicecenter.host>
Subject: Re: Sales Confirmation New Order RFQPI02390202
Attachment: 552020 Scan pdf.iso (contains "552020 Scan pdf.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Injector.ELTU.27270.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 13:35:41 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2rphphwdlyhjt33n5vvm3evx33ycjuztt3zuxdlm7qn7halfc7q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0573d56a84aac658edac1e93d08390c1a8378ed2d801b2460ac89a8ef643eb7d
FormBook
17ddc83d49b6cd1d511e8c5498c44d8b4bdbbb69b13011a180f8bded117ff2f7
FormBook
455c21fbac342659cd4b5cc162772117cce60f6b59f04dba0dd4327868a428eb
FormBook
5bbdd845eeb4c298a4edd8f578f4a832086559391ccb2e6e8b50b8c3c10b7fec
FormBook
82bb3e9ec03f5237ed521effee5b1825b59e31be522e71a05c129676e60839ee
FormBook
b715ce2fa69bc8384df1a4137b50bc30e05c0f3f557fe8608635744543b9976d
FormBook
b7a306bd407cca438202bfb3b92abff60f959418c7fd129487a6510554ff5706
FormBook
ca755b8915cb1025b4b5748e12cd7d3cbdccbcf90fd5986c911b066043d6d136
FormBook
d9b4215f118a22d7ce610c93d49796c66e6d7a2177149b667d2fa0049f1d09dd
FormBook
e7f1b2d2601e9a6427a155a3599614c09c9edaae7eb8f10b81e1f3e117717157
FormBook
+ 61 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-kc3ydnkzxj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent state file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

097257e2f7761bcb91832b2f542777b0

FormBook

Executable exe 4ea2f3bcf61af074cf7b6f6b566c95bef78126999cf79a5c6b67e0df9c0b28bf

(this sample)

  
Dropped by
MD5 097257e2f7761bcb91832b2f542777b0
  
Delivery method
Distributed via e-mail attachment

Comments