MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e98e20e7f6ca6411a6da4193276bd5e1a58602f761f2d3b33281e88dd411d9c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e98e20e7f6ca6411a6da4193276bd5e1a58602f761f2d3b33281e88dd411d9c7
SHA3-384 hash: ab203b6238142b6767e0b9a94ef53ef43bb92cf3d71499139d59b630fb9ee9289567bbe780e5e7f9a1026d66bdd3641b
SHA1 hash: a178a051899a8f05ca36f8b5b3bc9a7fa17a6ff5
MD5 hash: be9c2487401730779af8fef4ab77072b
humanhash: utah-summer-charlie-august
File name:nuijoat_Signed_fm.bin
Download: download sample
Signature Formbook
Create hunting rule
File size:1'013'928 bytes
First seen:2020-07-20 10:58:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a53a72dea4f25a6a6c0f0fbab7e5ef2 (2 x Formbook, 2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 24576:KgtGHnojbfsr80kwyjUcszLuVU0dEuXXJ+CYGz3iXc8kWSmnayA:KggHHYe4UcszLuVU0dEgXJ+CYGzKRS8d
Threatray 5'407 similar samples on MalwareBazaar
TLSH 0425AD23AF9D8432C2A2653C9D4BD6FE5431BC553A18C857A7E83C3CDE3A395342A197
Reporter JAMESWT_WT
Tags:FormBook

Code Signing Certificate

Organisation:Microsoft Time-Stamp Service
Issuer:Microsoft Time-Stamp PCA
Algorithm:sha1WithRSAEncryption
Valid from:Sep 7 17:58:56 2016 GMT
Valid to:Sep 7 17:58:56 2018 GMT
Serial number: 33000000CCCBB813EB5D722D450000000000CC
Intelligence: 15 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0C043752471269029D69B98BD42DFAD2656F1BCFDEC9A291039F4EF69B496C70
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28967/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391388
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248086 Sample: nuijoat_Signed_fm.bin Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 52 www.betafreemovie.info 2->52 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Sigma detected: Steal Google chrome login data 2->80 82 4 other signatures 2->82 11 nuijoat_Signed_fm.exe 1 3 2->11         started        signatures3 process4 dnsIp5 60 speedfinance-cloud.gleeze.com 185.241.194.58, 49734, 49736, 49738 NETALISFR Russian Federation 11->60 48 C:\Users\user\AppData\Local\...\fmrdfck.exe, PE32 11->48 dropped 94 Writes to foreign memory regions 11->94 96 Injects a PE file into a foreign processes 11->96 16 ieinstal.exe 11->16         started        file6 signatures7 process8 signatures9 62 Modifies the context of a thread in another process (thread injection) 16->62 64 Maps a DLL or memory area into another process 16->64 66 Sample uses process hollowing technique 16->66 68 Queues an APC in another process (thread injection) 16->68 19 explorer.exe 16->19 injected process10 dnsIp11 54 www.mansiobok3.info 162.213.249.180, 49742, 49743, 49744 NAMECHEAP-NETUS United States 19->54 84 System process connects to network (likely due to code injection or exploit) 19->84 23 rundll32.exe 19 19->23         started        27 mshta.exe 19 19->27         started        29 mshta.exe 19 19->29         started        signatures12 process13 file14 42 C:\Users\user\AppData\...\26Rlogrv.ini, data 23->42 dropped 44 C:\Users\user\AppData\...\26Rlogri.ini, data 23->44 dropped 46 C:\Users\user\AppData\...\26Rlogrf.ini, data 23->46 dropped 86 Detected FormBook malware 23->86 88 Tries to steal Mail credentials (via file access) 23->88 90 Tries to harvest and steal browser information (history, passwords, etc) 23->90 92 3 other signatures 23->92 31 cmd.exe 23->31         started        35 fmrdfck.exe 27->35         started        38 fmrdfck.exe 29->38         started        signatures15 process16 dnsIp17 50 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->50 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 31->70 40 conhost.exe 31->40         started        56 speedfinance-cloud.gleeze.com 35->56 72 Multi AV Scanner detection for dropped file 35->72 74 Machine Learning detection for dropped file 35->74 58 speedfinance-cloud.gleeze.com 38->58 file18 signatures19 process20
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e98e20e7f6ca6411a6da4193276bd5e1a58602f761f2d3b33281e88dd411d9c7/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 10:59:03 UTC
File Type:
PE (Exe)
Extracted files:
68
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
11c42a22bd49e9f723718ff607d073bfd3d47afd70ce7152b7329bff2013366c
Formbook
3ceb6064faccd6e14f29b29580731e0239928c13f5ee8d942fa743530b2ed73b
Formbook
58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a
Formbook
7d76b11ffd54f1f7f61dae2d07689f986a40a6bcf79e2606610f77a5c7bb20de
Formbook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
Formbook
8969c43b9a620f08efca63187be703ec6655dfaa6168956a428ce2821ff67654
Formbook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
Formbook
ab4583eefcd41b355fe38fcabdfe18450722b162f7b9e8e9ba346040355f4126
Formbook
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
Formbook
da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313
Formbook
+ 5'397 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200720-pcqe8lfe32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e98e20e7f6ca6411a6da4193276bd5e1a58602f761f2d3b33281e88dd411d9c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e98e20e7f6ca6411a6da4193276bd5e1a58602f761f2d3b33281e88dd411d9c7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/415176/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28967/

Comments