MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af076d38fb1a0fe805a6a835aefa72a1eaa827bb0421dcc91bd2e6153469d60d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af076d38fb1a0fe805a6a835aefa72a1eaa827bb0421dcc91bd2e6153469d60d
SHA3-384 hash: cfd3b74c4a11734532b2a19622177244fd9696bf4539d02117b508347a7f4e5f5005603db1c26993bd056b10b6590e86
SHA1 hash: 532ef3d837165bc016b77a265827664cc323c830
MD5 hash: 5c2ec89282885c8ab327a2b54f3938f1
humanhash: xray-river-video-romeo
File name:new order.exe
Download: download sample
File size:1'321'984 bytes
First seen:2020-06-10 04:35:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:Mtb20pkaCqT5TBWgNQ7aHkhdK00MKOww0gJaiCIOCOF16A:1Vg5tQ7aHkhYRM/ww0ggFic5
Threatray 3'821 similar samples on MalwareBazaar
TLSH 3955D02373DD8365C3B25273BA25B701AEBB782506B5F56B2FD4093DE820122525EB73
Reporter jarumlus

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 16:26:23 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4dw2oh3dih6qbngva2256tsuhvkqj53aqq5zsi32ltbkndj2ygq._file
Verdict:
malicious
Similar samples:
0b754578fd025440dc9661b2a4f0c853fa57a9dbb2c33d27ff7802176d38238b
1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298
22948624c2febb3129079dfea0d1461ec0649c4f60ab69994876b9a8836a1142
4f51da0a7034a3b491bf21d56896d2cc97f5f240911abfaeacfe73d80bd84a34
8d1512de63fd1bf66f80c8ec2ec640464a6ce986101849488372a38fed2bcfb6
a9da529f0ad9088cec7e9441a7081084f417655533998caa004597a1bc6ef262
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
ea95c0511e50da3a5225f551733b37b0b8f117b42dacd071620984fb550a00c9
f130cec484223c8a539691962d1f9cd065bb45776e25bb34037c64d89be0e9d5
fe52c98bfa1f03fa429f4044d5e5bfc3cfd4a571a0f6d37e955397cf583cace5
+ 3'811 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-gtsfm1z1nj/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.becouf.com/wdm/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

z 8ac0efc52e1f95b3cf2bca166e3c16eb97b4099698e976e14cf24a283f296e58

Executable exe af076d38fb1a0fe805a6a835aefa72a1eaa827bb0421dcc91bd2e6153469d60d

(this sample)

  
Dropped by
MD5 8f4f7ce4055ee56d3f109b7786623c95
  
Dropped by
SHA256 8ac0efc52e1f95b3cf2bca166e3c16eb97b4099698e976e14cf24a283f296e58
  
Delivery method
Distributed via e-mail attachment

Comments