MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6858f384401b1ef40dd4515a1604fdf9bb7e0d5caf85d8798c89604d830227e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	6858f384401b1ef40dd4515a1604fdf9bb7e0d5caf85d8798c89604d830227e6
SHA3-384 hash:	a6d27546f4eef35b689cb555a334688e5d9580476de2c6e65f707fa37bc766d370bb116b5ba56022092b3fead25cd968
SHA1 hash:	35c569bbc05a2e1832a3de5140761b3be32d55d3
MD5 hash:	17fdb3e9ad3c871975c2ddc1786ffd24
humanhash:	winner-shade-carbon-item
File name:	mv GB Pacific _pdf.exe
Download:	download sample
File size:	1'316'352 bytes
First seen:	2020-06-01 13:23:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:/tb20pkaCqT5TBWgNQ7aNJA3kMa9+BiA6A:8Vg5tQ7aNW3kMa9+95
Threatray	3'156 similar samples on MalwareBazaar
TLSH	5C55D01373DE8361C3725273BA26B741BEBB782506A1F96B2FD4093DE920121525EB73
Reporter	jarumlus

Intelligence

File Origin

# of uploads :

1

# of downloads :

63

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-06-01 01:50:49 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nbmphbcadmppidoukfnbmbh57g5x4dk4v6c5q6mmrfqe3ayce7ta._file

Verdict:

malicious

Similar samples:

0b754578fd025440dc9661b2a4f0c853fa57a9dbb2c33d27ff7802176d38238b

1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298

22948624c2febb3129079dfea0d1461ec0649c4f60ab69994876b9a8836a1142

29bad4252fa4cda5eea6a5a8587169e1d88d58f9c1fed8c13cf29695995178b6

3188ff8a40a461c9e4e386a62daefbe7033034a0c28cfb2b02c20874b7f53b92

4f51da0a7034a3b491bf21d56896d2cc97f5f240911abfaeacfe73d80bd84a34

60c5b12508b9f3e9f77cd3a6f8e4b9f3cd546bdc97a76c21b0d758712d9ea4c7

72e42f1672249fbd4db20c17d5e29fba5838ef08cf0f6964d84ffc434ea46f27

8d1512de63fd1bf66f80c8ec2ec640464a6ce986101849488372a38fed2bcfb6

d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba

+ 3'146 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-xbbc13qm8j/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.lodipytu.com/xla/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

arj 27cc14bcdf3273df9f6db106ad52cf6bfd263c24c5d5043aa41f3b76d8dc3fe9

exe 6858f384401b1ef40dd4515a1604fdf9bb7e0d5caf85d8798c89604d830227e6

(this sample)

Dropped by

MD5 d75e3859c3a465be90712e4b5a8ceaa3

Dropped by

SHA256 27cc14bcdf3273df9f6db106ad52cf6bfd263c24c5d5043aa41f3b76d8dc3fe9

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample