MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c
SHA3-384 hash:	5d61e59a8ba137a0ed8fdcfb46a9f552e219f43c83a44abb92e01170e6f5bf593b0b938abf7ea679804313b77c7a93f3
SHA1 hash:	73f8930f40c968db4b2926e721a5c311ed10621e
MD5 hash:	43951a13b375c0abba7ff9801a33142f
humanhash:	quiet-mexico-fish-emma
File name:	43951a13b375c0abba7ff9801a33142f.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'201'564 bytes
First seen:	2020-05-18 12:18:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	24576:8NA3R5drXONnLAL7hXoxPze//1KnFVQlGzBEND8dN56:95Wkx4a//1KzOGOKde
Threatray	5'338 similar samples on MalwareBazaar
TLSH	8745E033E38344B6D179073104A75B2569BABD301A76870BEBA43A6D6D327907E31F93
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

98

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Swotter

Status:

Malicious

First seen:

2020-05-18 12:35:44 UTC

File Type:

PE (Exe)

Extracted files:

8

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xdxdiwdtn6ttm4vuhjgflyjwxl6ermqv3s4j3lbiwwdfvnm7zgoa._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

0cd1ca47d2e04de65562e1ba4d8ce4545ee486999f8f0eb7adc880c7fb7fc9b8

4923037fb58a4491f08c85e0cf38a74d92dd36860932814170dc942a031bad2f

5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9

61e169cb08c5e3b163370cd992574347625e887eca583922412ddfaed2d6bd10

8e5e93b6f3eee7f1a08a0420b25105017d3479769e6bf9d6b2518d3abc6b1a75

9cd4df25010125f2ef3eeef44503b3c2b58435af758fe7213d053a60f018f3d8

addd4ba4b4aa754501d638cbbf3c78bec538ca15a72acb5eadc7babfaecfa350

c67fe1304d6455bcae5c07b3f7fece584628b05d286b68da6e85275f7695b2aa

ed3318102d772c4dcecfb1e10f37cfd3fdcbaff1d340ba9c2bc5dcfe6383f339

f163f4788da0d445dec687df7d215b6af3c4bea10589fa268e6aff20ff335510

+ 5'328 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:formbook family:nanocore keylogger persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-rnzdxls1mx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Gathers network information

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds policy Run key to start application

Formbook Payload

Formbook

NanoCore

Malware Config

C2 Extraction:

http://www.mansiobok2.info/mnf3/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/358705/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample