MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5300a0a0ca9bc1ac90ad1543fe3a1687db23b8f05194f86263938c57e0503b84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	5300a0a0ca9bc1ac90ad1543fe3a1687db23b8f05194f86263938c57e0503b84
SHA3-384 hash:	6d567cec7dee6e66182bf132801fd9c610c81961cccd05b712949ef3469461b892adf48c6227d8964ec5574d7ce5300b
SHA1 hash:	750deac873706d16c1180ac9c3eda6f435828c3e
MD5 hash:	b0cac1cdd3c9ab7d332811850ddd8ab9
humanhash:	kansas-emma-violet-ceiling
File name:	cS7il0zOGtdU05K.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	373'248 bytes
First seen:	2020-07-12 11:24:33 UTC
Last seen:	2020-07-12 11:57:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:Afyi+zcykrSrKbx9pmbJ4NcKf6+8V5aHiqeevcZJl27qWlt:g/WrumbJ4uP8iqhvcZJK
Threatray	5'150 similar samples on MalwareBazaar
TLSH	3884E0CA66BA021DFE494FF73CE65305C3379E25442EF60A7BB2F6956A7334801107A6
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/24861/

Detection(s):

SecuriteInfo.com.LuheFihaA.1573.28965.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Launching cmd.exe command interpreter

Possible injection to a system process

Forced shutdown of a system process

Enabling autorun with Startup directory

Unauthorized injection to a system process

Deleting of the original file

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/5300a0a0ca9bc1ac90ad1543fe3a1687db23b8f05194f86263938c57e0503b84/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-07-12 06:49:17 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kmakbigktpa2zefncvb74oqwq7nshohqkgkpqytdsogfpycqhoca._file

Verdict:

malicious

Similar samples:

001af3efb9fa637cf4b597d86ec925a4283efb482417861aacabb46a848ec84d

01c8cc39f39c1a86d9dc4257a3c784bddba7bfc5037b77e6646ab0d15cf6d95c

3490dfb2560aed5d468605fbba8d770eeee2a336de3fd7e4a18f22afcad5bc44

7aec5714f249052bfb6d9195ee09affa5817bb20fb1096bb49bbc2fb10048e75

82621455e0c9ed9c46f6947beeaf2c5a6962a035eea50b337fad6368b5a6485b

831d3f64936f8082983b92c219976473a0cebca333b3d8af053bb1bc8de3fe57

95e40490a7ab8bc996d2a8a42233563ed067317e7b54a4083808a0d77ee2a5f5

cf9ad825f52e8a1af6104737421de123b3ebe44d62a51c340d69fd1d85d9d0b2

d76bb689a401094eee47a075368224161d261665c2b285b155d1b7833ba4fbaa

ee82b7263174f6d14a23263058616fda1c4676cecf6d0003696d255147963e1b

+ 5'140 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware persistence

Link:

https://tria.ge/reports/200712-ygf87577c2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Drops file in Program Files directory

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

Deletes itself

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 5300a0a0ca9bc1ac90ad1543fe3a1687db23b8f05194f86263938c57e0503b84

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/24861/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample