MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf6bbd5a9224dcd52aa71c16288945611a3348ca9953f32fa92a4c481c307195. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	cf6bbd5a9224dcd52aa71c16288945611a3348ca9953f32fa92a4c481c307195
SHA3-384 hash:	95c4123834be742831db7981f61b098b576410523aff2d10906d559ab8d6a2df10989bd3b2bd5b4d68812193f32913e6
SHA1 hash:	64c8efcbbeef4d217a0dc1462c2eb645d9062ea8
MD5 hash:	9aa179a57c735fa49f0c4ad5dc609154
humanhash:	yankee-alanine-rugby-freddie
File name:	Svumhmp.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	635'394 bytes
First seen:	2020-07-05 07:49:18 UTC
Last seen:	2020-07-05 08:52:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d7a6667308868eb5622c328a0adcf08f (3 x FormBook, 1 x RemcosRAT, 1 x Loki)
ssdeep	12288:iyiFoineGN96o8EsP7/DQY8S0UuYxV9i0Lv6F:iDQGN91w7rt+UuYxVXLv6F
Threatray	5'181 similar samples on MalwareBazaar
TLSH	23D4AF61F2D28537C1671A3DCC5BA7B8A829BF512E2824475FE53D0C5F39382392AD93
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: WIN-EJCFGSELCJO.home
Sending IP: 185.4.30.96
From: INFO@BANKBOURSE.COM <info@technicalshop.ir>
Subject: FW: URGENT REQUEST
Attachment: Details.zip (contains "Svumhmp.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

99

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20585/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf6bbd5a9224dcd52aa71c16288945611a3348ca9953f32fa92a4c481c307195/

Threat name:

Win32.Trojan.Remcosrat

Status:

Malicious

First seen:

2020-07-05 07:02:10 UTC

AV detection:

37 of 48 (77.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z5v32wusetonkkvhdqlcrckfmendgsgktfj7gl5jfjgeqhbqogkq._file

Verdict:

malicious

Similar samples:

0efa7703690d3fe9df70c81d7dea974aa710c7c55a76fd50e6a050bc76698d89

1940c82d728454e9a43d2efc7dd0033fcbf58880b32d227830e54a43b885ca3c

2680be0d6ab364c09e9ca33e93bc0dfa3de6906e014bdb4aafc77ea9caf76650

2b8f048a61ef0fcd4a8d4f54cf1a22cf637883aae8b542f981ead6f043f02ffe

426a7d5241a207054d695ea06f8133260c2684c5598420954f0fde91a03fe059

5e2ceeaf0867b931ec61f6e4c6bd5403e237353eda4816509038fdec470b6ddb

74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da

8ce629f720939b40acc1e571be11a81967e80dd4deb2a2b2a140623d64ea008b

e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0

f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2

+ 5'171 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware persistence

Link:

https://tria.ge/reports/200705-z9fs57m9n2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Adds Run entry to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Adds Run entry to policy start application

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip f640fe7dfd8b146f1910784bdd0181dc38d266472b737caf7028c1a15c83eea7

exe cf6bbd5a9224dcd52aa71c16288945611a3348ca9953f32fa92a4c481c307195

(this sample)

Dropped by

MD5 6ba4c029b2dcba0db9f71a61edd634df

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 f640fe7dfd8b146f1910784bdd0181dc38d266472b737caf7028c1a15c83eea7

Cape

Cape

https://www.capesandbox.com/analysis/20585/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample