MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a
SHA3-384 hash:	98759dd9548c71ad7088c187608f870998cf48666aadc6f7e5dc9668533b76258898ad7ccd0ab6e5ae97a6920e06f2b8
SHA1 hash:	b778b6ef1adf0eeb945b762a2ac99c893e5be5de
MD5 hash:	03f9ffea8cc879ec181c918152814554
humanhash:	robert-lamp-finch-steak
File name:	MV TBN -Specification and PL-DOCX.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	1'132'544 bytes
First seen:	2020-05-07 10:55:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	05921bf5bfb2e768ae47538780e783b7 (5 x AgentTesla, 3 x Loki, 2 x FormBook)
ssdeep	24576:Jriopgj/L6x7yZURYHpI5GMZMM0K5yBM:J+oEU6HpIEMZMMcBM
Threatray	5'096 similar samples on MalwareBazaar
TLSH	3C359E22B2969437F2731A388C6B93949C2A7DD33D28B85A3BF51D4C5E392413D352E7
Reporter	jarumlus
Tags:	FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

89

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL

PUA.Win.Adware.Webalta-6862190-0

Gathering data

Threat name:

Win32.Trojan.Androm

Status:

Malicious

First seen:

2020-05-07 11:39:17 UTC

File Type:

PE (Exe)

Extracted files:

59

AV detection:

29 of 31 (93.55%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xssv4fmlcexv253piqbnjdg7v5noik2nr4xamowgtoreaw74yyfa._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

040e2a7b73768aea00579bd04fa834afa4b33966459c4c9d4c4cddfb7cffe8c0

1c7388bfdfb41e34dc95423b351d3b18d737889d9f8648da0ce24048d6e2f495

1d24189fffd0bdcb0395a3670721f29f37d08bd80565471db28d45ac36b2cbc9

1d26a5cf8e279ddaa3ad924224219b550f7d431e8d6adbcb7bd36c01d4eae2d9

2fdb0d7b083751a10db872738e974f869b99f2ca21891a5fb96bc9440f827ffb

3f256c15a96f8f556978318a55308e3ef709f29d93a18d0c2d262f305477cfb2

490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd

5ef5d6bc0c7af14274c71cdc4377785a79143786556262137f496a94170ac56b

811b6950ba9561169b22ccfc12daf0fc57f26a910272f56288bd0d7c10da5c15

c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e

+ 5'086 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan persistence

Link:

https://tria.ge/reports/201109-l31mcqda62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Deletes itself

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.nyoxibwer.com/hm2/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip b64040919a8c9500cae6c10c5d05fd697e17bcb79a730e754fc2f6381e8620be

exe bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a

(this sample)

Dropped by

MD5 6a1e13ee75c68d0a0f10aa275859463f

Dropped by

SHA256 b64040919a8c9500cae6c10c5d05fd697e17bcb79a730e754fc2f6381e8620be

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample