MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b957ef817c366f048f64e10b916eb33113a58511a7aaa74212c93e080ed1af64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b957ef817c366f048f64e10b916eb33113a58511a7aaa74212c93e080ed1af64
SHA3-384 hash: 44ee377b129088cf146468405f267cd7564cb0bbe7285c032eb92840f15fdaf0aa7ac49e2b3cb535bcb3e82a39ed8a9e
SHA1 hash: f1ccd14db75448cd4a12af3a2e7a9eb3491f62b8
MD5 hash: 79ffdf20a2611c964cfb629a5329584a
humanhash: october-london-skylark-wolfram
File name:documents_R02V104W1011.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:946'688 bytes
First seen:2020-06-25 12:56:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4ea71003f2e4bb27bd8bad8c2c3305e (6 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:us7OYB2c+UHVuEp4tZEmfZE7wuLzMLqPbziLlv039vSZ+mqpdgjxV9W:usKYIguEpKGk+XicUEdgT9W
Threatray 5'312 similar samples on MalwareBazaar
TLSH 74157E23F2914477C0631678AC6B5769993ABF112E28694B6BF83C0C5F393513C3E29B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: Koeichemical.com
Sending IP: 104.129.0.123
From: shihal Kamal <sales@Koeichemical.com>
Subject: Confirm availability
Attachment: documents_R02V104W1011.gz (contains "documents_R02V104W1011.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14294/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b957ef817c366f048f64e10b916eb33113a58511a7aaa74212c93e080ed1af64/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 13:53:46 UTC
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfl67al4gzxqjd3e4efzc3vtgej2lbiru6vkoqqsze7aqdwrv5sa._file
Verdict:
malicious
Similar samples:
10d6e6ffa24a33da75382f2268d9450e64513b5265cb81b18190961a73d8f1ee
FormBook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
FormBook
4b4c8b74b632893033dfa8d4099db76155f6941ab5a63ba7c5a680168ad73b1b
FormBook
51b2fe7ed5d6da110fe512ac143f26b29b8819b25f4540e93825d310d60d2511
FormBook
5e93b449a80beffbe61f82bfab9042149156227e74efb7e39c95d0044e4a0ab3
FormBook
77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081
FormBook
88c0ef97b6edb3f676523e57ee95a23604efc28ef3a9db916c2123c793b44571
FormBook
93fc98148dbcc6f16b8f6ca1d8bd6bc68eafb2b4b68e697135561f5845cf82b8
FormBook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
FormBook
bb8016149b1cfa77fa6614decb51d21b20385e2749f1b667ad0d51615c9baf05
FormBook
+ 5'302 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware evasion trojan
Link:
https://tria.ge/reports/200625-n734n7tn2n/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a5da6b267a998b64d5bad37c0ab29e5b

FormBook

Executable exe b957ef817c366f048f64e10b916eb33113a58511a7aaa74212c93e080ed1af64

(this sample)

  
Dropped by
MD5 a5da6b267a998b64d5bad37c0ab29e5b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14294/

Comments