MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbbfb4d66a6d1ff1fb9f476cc8607a2a0b1a0bb27bdaba095a3715489d8e4315. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	bbbfb4d66a6d1ff1fb9f476cc8607a2a0b1a0bb27bdaba095a3715489d8e4315
SHA3-384 hash:	e5b753790b0da1e0ca9c0e66ebdcf3d529f5ff5366253dcfc479dcb3ed919b661e7709e3c6289984254692a9efe738f2
SHA1 hash:	4dd995bf2183bc545d422f67abd6f3666bb14e1e
MD5 hash:	d75a4be4b55e4b2359298cde65d5fa9e
humanhash:	mobile-quiet-robert-lake
File name:	Facturas.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	931'328 bytes
First seen:	2020-07-13 11:12:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2a2488d4e6117f1c1c09ec31ad2be7a6 (9 x AgentTesla, 6 x MassLogger, 1 x FormBook)
ssdeep	24576:UivyudcBzOliBaw2xw6/czwBo+xga5FTSMqHIAK7s:UIs2czOoMgpks
Threatray	5'666 similar samples on MalwareBazaar
TLSH	12159D22F6914433C6732A3C9D5B97645C2AFE10EE38E98A2BF45D8C4F7968134352E7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: fnadk-25.srv.cat
Sending IP: 46.16.62.251
From: Administracion <info@fedizseguros.com>
Reply-To: info@fedizseguros.com
Subject: CONSULTA TRANSFERENCIA FRA. Nº 6273 y Fr. Nº 6274.
Attachment: Factura FE2000716273.zip (contains "Facturas.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25202/

Detection(s):

SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Setting browser functions hooks

Possible injection to a system process

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbbfb4d66a6d1ff1fb9f476cc8607a2a0b1a0bb27bdaba095a3715489d8e4315/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-13 11:14:09 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xo73jvtknup7d647i5wmqyd2fifruc5sppnluck2g4kurhmoimkq._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401

5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff

5e76ddd6dfa4215c3dbd7269318d15a5e5fae698e65600df0aa3f16639d8fc44

6748690a2f2b4b6d137354eb13d5d86eb83867a372819c2377ac0f92975588e8

79aeb20e06ed62c3986034328cd3a6a5e08eb617cba4af679112640f786497da

7c73899c0587f768cfbb871b9305c7b47e85b39c330c5f82fd79345ee914d3d6

b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4

c5b06fbd603308f84e5f80396dc5de515ec75a43825732c8a53265add22942c8

eb638769c780ac51f18d725025755c04acb90936ef9601137bf9fcaab8b47626

ff06a30035eba173931bf5d7a794f2b8202d8106151148bf4b6016a029718384

+ 5'656 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware persistence

Link:

https://tria.ge/reports/200713-mqnpm55c3a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Drops file in Program Files directory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

js

Adds Run entry to start application

Reads user/profile data of web browsers

Deletes itself

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip d64506f2b10920a8b985abec5d9b7666a1bb9825fc082d377705c5aa035ef5f1

exe bbbfb4d66a6d1ff1fb9f476cc8607a2a0b1a0bb27bdaba095a3715489d8e4315

(this sample)

Dropped by

MD5 829e64a343002e170329e0c3f4a0b910

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/25202/

Dropped by

SHA256 d64506f2b10920a8b985abec5d9b7666a1bb9825fc082d377705c5aa035ef5f1

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample