MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f261df83598926b168c3515bde5a345dba7828d5bcbdedff5fc55cd16ec23a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f261df83598926b168c3515bde5a345dba7828d5bcbdedff5fc55cd16ec23a8
SHA3-384 hash: 0e5f2fc712432c2f909aeaa363e149d1418c159a10a7b51e76e8df2ba3bd545947bca1d0430d6642294012616a7878df
SHA1 hash: 0876c67101f3f146e293199971596a5b47123a4c
MD5 hash: f536c98ef869e3a9d1d6776edbee76b1
humanhash: uranus-alpha-twelve-timing
File name:order pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:665'088 bytes
First seen:2020-07-08 12:53:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c769aa33458940b0c0e3838f7c635f27 (4 x RemcosRAT, 3 x FormBook, 1 x AveMariaRAT)
ssdeep 12288:G1uSw3tWopwOdOGakJ1olUL+zUQJ75w9nGat3qDaitL8SU:Gkx308tOGakJ1gh4QJdw9GM6DaML8SU
Threatray 5'218 similar samples on MalwareBazaar
TLSH 44E47D52F6C09877D02B1A7DCC5FD664683ABE152D24D84A3AE67E0C4EF6341343B29B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: outsmtp03.sadecehosting.com
Sending IP: 78.135.113.146
From: batam@pmcontrol.com
Subject: Ri: Ri: Ri: Ri:Ri: Ri: Ri: Ri:Ri: Ri: Ri: Ri
Attachment: order pdf.zip (contains "order pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23107/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f261df83598926b168c3515bde5a345dba7828d5bcbdedff5fc55cd16ec23a8/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 12:55:05 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4tb36bvtcjgwfumguk33zndixn2paunlpf55x7v7rk42fxmeoua._file
Verdict:
malicious
Similar samples:
35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5
FormBook
45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf
FormBook
609d299d6ea139c7d7e659274e10c9ed230b832caba065d352738a18db41b638
FormBook
65463a82bb20ec1f2d53e93c9e51538d55fff2844c746afc36e7a1c43cce36e4
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
9392304274014d5807d5a2271486ea5a72143d7a1214ecc1b59b1626dfc3ba64
FormBook
aa920a28098387bcdcca0c6e2b668a94b49b1ba5ab1129b27da5a42c4f645ca3
FormBook
c0307fdf9dcf72e69b33cb4327608c3d27bc5a26ce4552a1eae074f2557482dc
FormBook
d15bb0b2e07a91123300b30b6b7f26774e873a7bbbf677cdfd1a7c9547a1e353
FormBook
ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153
FormBook
+ 5'208 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200708-dh17h986pa/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds Run entry to policy start application
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ee73e1c42ba22486333eb7eb4fdcbeb7

FormBook

Executable exe 7f261df83598926b168c3515bde5a345dba7828d5bcbdedff5fc55cd16ec23a8

(this sample)

  
Dropped by
MD5 ee73e1c42ba22486333eb7eb4fdcbeb7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23107/

Comments