MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6002f3f11291a303b7b38c97aa8446ef0b99ecd5aa5ae2aecdda388e97489532. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	6002f3f11291a303b7b38c97aa8446ef0b99ecd5aa5ae2aecdda388e97489532
SHA3-384 hash:	37c0e356256f73c738b198fc5abec0695750c21615203ea18f6893871f590f8611d36f947d8599efdad0f2f59889d181
SHA1 hash:	c84511e9137408963f0ac4da7a993f9fddb311c2
MD5 hash:	eae6712971ff7e69bfae77f9fbd99ac1
humanhash:	fifteen-neptune-blossom-tango
File name:	Xxfgbqr.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	696'320 bytes
First seen:	2020-06-30 12:11:40 UTC
Last seen:	2020-06-30 13:11:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3dbf6c2cd2886e109ef90dcce86638b7 (5 x FormBook, 1 x NetWire, 1 x RemcosRAT)
ssdeep	12288:ae7+LHvP79bjBoxHyzKXAzgqGD4cdCIJuxd6Ur5IScz5ISF+gAuA1KzqrRUyqqj1:Fq779bjBoAzKXAPC4rYX/ebP2ccjc
Threatray	2'254 similar samples on MalwareBazaar
TLSH	13E4CF21B3D0953BDD5B1BB48C0F6AA86C267DA02E99584F3AF81CCE6B7D361342D153
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: shbc10.ultina.jp
Sending IP: 218.40.207.10
From: B Bayar Group Industry <zhaojun@cetjd.com>
Reply-To: zhaojun@cetjd.com
Subject: INQUIRY
Attachment: Xxfgbqr Order 6239.rar (contains "Xxfgbqr.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

78

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/17114/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6002f3f11291a303b7b38c97aa8446ef0b99ecd5aa5ae2aecdda388e97489532/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-30 12:13:04 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mabph4issgrqhn5trsl2vbcg54fzt3gvvjnoflwn3i4i5f2isuza._file

Verdict:

malicious

Similar samples:

10d6e6ffa24a33da75382f2268d9450e64513b5265cb81b18190961a73d8f1ee

3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150

3c5ef5423e281a468e9f0381327a9635f20626a98054e769fc08dd4270db01e4

474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f

5f09e9c7496cd8bfbb33147b3fea11791894235021e488eb17dcd582c9dae0b1

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7

b9c1be5f81b9261b1bb68fb0f667a57721bd04b750427a9382844c42d18dba6e

d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba

e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c

+ 2'244 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware evasion trojan

Link:

https://tria.ge/reports/200630-mptbykmwz6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SetThreadContext

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d2311c3408fa79d34b34b499290ba548

exe 6002f3f11291a303b7b38c97aa8446ef0b99ecd5aa5ae2aecdda388e97489532

(this sample)

Dropped by

MD5 d2311c3408fa79d34b34b499290ba548

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/17114/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample