MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aebcacef83bf139cf1f922a1c8687449286d661908b9ffbdd7e51866ebde4409. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	aebcacef83bf139cf1f922a1c8687449286d661908b9ffbdd7e51866ebde4409
SHA3-384 hash:	64205708f184defcf34c2a199a2d20e87c0c65f82c6db2bb5911b9333599182c3d9084dd061e6984c32d9ddb756fc3a5
SHA1 hash:	a1be1460bc8b90c8a15d46ac00e6f405e5fa03f6
MD5 hash:	7694407a8c7f28b118a21727f111826b
humanhash:	twelve-black-sixteen-don
File name:	awele.pdf.com
Download:	download sample
Signature	FormBook Create hunting rule
File size:	65'536 bytes
First seen:	2020-05-13 06:52:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ab3af5e62d5ba14d98be7574ccf4d70d (2 x GuLoader, 1 x FormBook)
ssdeep	768:T1WztmMUZlgl8UFEz3BcMfJPoIIDbOFYJbw0Zh2tLjxG616FsPKSy:5W8MeUQRc1rez9jH16aP+
Threatray	5'120 similar samples on MalwareBazaar
TLSH	A953D70DEDE89DFDD62DCBBECE6A168440466D300DB38FC724483AD96633672971532A
Reporter	abuse_ch
Tags:	com DHL FormBook

abuse_ch

Malspam distributing FormBook:

HELO: [139.59.83.25]
Sending IP: 139.59.83.25
From: Dries Derwael<bltrl@dhl.com>
Reply-To: henrysales1171@gmail.com
Subject: DHL- Your Package Has Arrived but With Issues. - Urgent
Attachment: awele.pdf.xz (contains "awele.pdf.com")

Intelligence

File Origin

# of uploads :

1

# of downloads :

91

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Rdn

Status:

Malicious

First seen:

2020-05-13 04:41:50 UTC

File Type:

PE (Exe)

Extracted files:

10

AV detection:

19 of 31 (61.29%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=v26kz34dx4jzz4pzekq4q2dujeug2zqzbc477pox4umgn266iqeq._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a

6f06cf7295e9301a4358854569f7d53dcf77319a94a76b45e60ebc72b88c2087

73578e1eff058923a129059d2af27488d57bab07d08c82017fdb0609333f50f5

7cf754ed7c5a766f7622660204ef84baefe244fea900ee17fd5c80610fe302e9

7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6

895e7e85e398a6bd3615a8453c1ed21979a2676fa84af0e53077635f812b64fc

972dbabdb87df7e564d3b5162d94d22ccb326a6f6d2150f3a9b29bc32e8feb32

9fba6ffeb90dd242748718d8272a4942496e76a4f68bdb4dd42f93b044b5ed50

add555fb2d05ddfd2ac75ba137affa3a0192e47ec676e8ea51e585f2da6e33a2

ba3486ddcb815a5bfae81495f4f48576968b3d6de9f42e0d4358824d7ee583bd

+ 5'110 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-zg75hbpmps/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xz 9444007997f37d7d2718a4d6bbb259a221aada0196bea48e71acac407177f891

exe aebcacef83bf139cf1f922a1c8687449286d661908b9ffbdd7e51866ebde4409

(this sample)

Dropped by

MD5 03b0763c70f8dd3e51c9d5e96275e2f0

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 9444007997f37d7d2718a4d6bbb259a221aada0196bea48e71acac407177f891

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample