MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad36c93aff3c5ad262be5608200b1d583624dd29cfb2a78fd4dfab034282bde6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	ad36c93aff3c5ad262be5608200b1d583624dd29cfb2a78fd4dfab034282bde6
SHA3-384 hash:	07088301d20e381dc625c3ab65508adc0274baec2b83014faff38dce5a9307dc28f09db4989d70cbf0551a103d48a3be
SHA1 hash:	13e51d72964664c8c77e96f8dc4215fb68cdb0aa
MD5 hash:	68f13add273d37deaaf40c0b59a1093c
humanhash:	cat-vermont-princess-east
File name:	rajx.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	737'280 bytes
First seen:	2020-06-23 13:37:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a3bfafd3839d7a926bcc393a99921236 (14 x AgentTesla, 10 x Loki, 3 x Formbook)
ssdeep	12288:GDRuXrEbb00e9ElcwOixtthKGc7WR5Sc7YpDqItGJYbl7dVhc9ihCWgQ:IYbQhe9RKthmg5ANtgYbl7XM8CX
Threatray	5'112 similar samples on MalwareBazaar
TLSH	40F4AEE6E2E048F2C162157D7C9BD7B8982EBD5129245A472BE5DCCC9F3D381343A287
Reporter	James_inthe_box
Tags:	exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

79

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/13010/

Detection(s):

SecuriteInfo.com.Win32.Herz.B.29682.7947.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ad36c93aff3c5ad262be5608200b1d583624dd29cfb2a78fd4dfab034282bde6/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-23 05:14:11 UTC

File Type:

PE (Exe)

Extracted files:

295

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b

362e9be80f3970af70ae1fd73b15f5224cec9e478b3b6ceac996ef5555eba65e

3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150

3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

79aeb20e06ed62c3986034328cd3a6a5e08eb617cba4af679112640f786497da

9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264

b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634

c2221b7f65afde44bb459fec37286e4ad1f032d30be34d04527497c4b6acfdbd

d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba

+ 5'102 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

persistence spyware evasion trojan stealer family:formbook

Link:

https://tria.ge/reports/200624-9w517dmh9x/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Deletes itself

Reads user/profile data of web browsers

Adds Run entry to policy start application

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/13010/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample