MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be100d30450e36b7bdded9c44514e7d3bcf9b24d9ef7f07f1ed6f4b1f9cbf930. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	be100d30450e36b7bdded9c44514e7d3bcf9b24d9ef7f07f1ed6f4b1f9cbf930
SHA3-384 hash:	f3a4f733524eb1f86a32dd223fc72db968bef3203dcaf7c65fc43abc95eb6cde67a29838d4fcc20363b6d71f5a2a5575
SHA1 hash:	5f76f03a5127c5f9d1a28accf17514ff8f34b3b9
MD5 hash:	2577a2097b467fa80f6d5dc19bf01928
humanhash:	happy-bulldog-helium-lamp
File name:	2577a2097b467fa80f6d5dc19bf01928.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	442'368 bytes
First seen:	2020-06-04 12:42:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	6144:9JZnHQwhOfPTH2HG2ZxytZCXPeKFZG6PdZE2s5RDJMbtNrBe:9jnwwhoHQG2LcCX9FLEx5RDJMb0
Threatray	5'115 similar samples on MalwareBazaar
TLSH	21946B4ABA71FDBFC5E6A5BB45543C109E1C2DA24E67B103A45B7188FDBE947CE000E2
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

88

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-06-05 00:05:00 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xyia2mcfby3lppo63hcekfhh2o6ptmsnt337a7y6232ld6ol7eya._file

Verdict:

malicious

Similar samples:

39beaadc7ebcd39abe102931c29a0be72847ecad0441185bc499304989c04abc

41baebffaddb418b4eca6aff0e3837100c93b9b025be18ebc887493f10608a13

782999121ca089a150f34c3527a7e1c1a5f9c59a73034e3bf6ca166c590a47f3

799f11327960ae9d85650736dc87515a5edaad3c14ddaceeb0214136f33498a0

841b9682f1bcb94cc4c510c2564791004f3d1c26ae764c42c145fe16ab093901

ce2fb70594dabbee01ba985e6e04a5fbdc57b2d589722dab7213c999151efcef

d7980c1e8ee9c38009cacdbc00f12940564aa7b33bc35ccc67510aeb57b75e2e

f310aa4f6cb0b3c3d237d13640594dd0a06f8c42ab5ecd1cba3daecc860129bf

f597fc149ad055ccfeddf58c3547b06ad4197190d39af11cc260fe65a53da7fc

f9fd67b28fd985eb062137c47d008ee299099dc5adf63168470603ba635a286d

+ 5'105 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-e2qkgk334s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.nimtax.com/ut/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe be100d30450e36b7bdded9c44514e7d3bcf9b24d9ef7f07f1ed6f4b1f9cbf930

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample