MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b9931b133a5a15ee73de2ffd8b6f2f7b80e834cf4a3cf17f030c479b21abf9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b9931b133a5a15ee73de2ffd8b6f2f7b80e834cf4a3cf17f030c479b21abf9b
SHA3-384 hash: 54ea59eade1368b39ae169bc6346da295a00cf16dbf7ffd29755af95cc62391f879bfe74638a8d418055cae06fb7cbcd
SHA1 hash: b665738b4fb841dd02699df85f6ba4cb7b2ad2b9
MD5 hash: 085e4e06334e8dbab10d45a5dd96c72e
humanhash: venus-paris-winner-washington
File name:muestras de productos.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:557'568 bytes
First seen:2020-06-18 12:42:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e12f2c4a80241c320d1e467092c2e8e9 (2 x FormBook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:eOwnK/Ge2IN9EEMeHJj3yQvjhQtQO77eJ/YXC4:RwKVjEdeHVyytQtluq
Threatray 5'136 similar samples on MalwareBazaar
TLSH 79C49023F5F24433C163167D9D1BD7AC9C2ABE112D28A8466BE41D4C9F39B82391F297
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: srv1.langa.tv
Sending IP: 185.31.65.178
From: rgomez@fehlmex.mx
Subject: SWIFT DOZNAKA: ODRI PRINT DOO VALJEVO
Attachment: muestras de productos.zip (contains "muestras de productos.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19784/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 13:38:03 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tomtdmjtuwqv5zz54l75rnxs664a5a2m6sr46f7qgdchtmq2x6nq._file
Verdict:
malicious
Similar samples:
35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5
FormBook
45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf
FormBook
609d299d6ea139c7d7e659274e10c9ed230b832caba065d352738a18db41b638
FormBook
8018cda9143d0dfeddb6ef8e5e90a920d837d0bb7eea826b9ce37f3c96850859
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
b113aa45c20fb4a1b058a76068faf201fa21295df5aaf54e32f3034c6944947a
FormBook
c0307fdf9dcf72e69b33cb4327608c3d27bc5a26ce4552a1eae074f2557482dc
FormBook
cbb6d89187847aab1fcff6b5d832ea80bca30bfe5520702133cab83335392ead
FormBook
d15bb0b2e07a91123300b30b6b7f26774e873a7bbbf677cdfd1a7c9547a1e353
FormBook
e01b79e0c73e76e98ddca8c03d801e1742eeb3fec251b17162ef899332a12963
FormBook
+ 5'126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200624-lfglttahrs/
Behaviour
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Reads user/profile data of web browsers
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 1d65e497a5fd1c02c83a04fba5cd07130ac17bda7b476ee70a0bf8202eed4be5

FormBook

Executable exe 9b9931b133a5a15ee73de2ffd8b6f2f7b80e834cf4a3cf17f030c479b21abf9b

(this sample)

  
Dropped by
MD5 18a6ac01533cce7b53a04314810349c1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1d65e497a5fd1c02c83a04fba5cd07130ac17bda7b476ee70a0bf8202eed4be5
Cape
Cape
https://www.capesandbox.com/analysis/19784/

Comments