MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbc04306880313e1c67e38265c9ec331f336cba5bc461266e05228b22094defc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	fbc04306880313e1c67e38265c9ec331f336cba5bc461266e05228b22094defc
SHA3-384 hash:	88b8ff417b1b0c7587422010d00a93c8a65faf021837a28a063239d90152a5ec5c28de01f6cdaa58ec0f66068024e292
SHA1 hash:	9c2f291238f7148cc483ab9218250fb39f09d388
MD5 hash:	35459f019b273f9becc7346a5ed43315
humanhash:	april-music-charlie-sad
File name:	PO-HN210520-01.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	34'816 bytes
First seen:	2020-05-21 07:11:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	768:ZpBXz9F35vaRPSWlH6efl/5kZFeWi2mVOXBfv1+kkQDDXQ3Cox26u:ZpjiRPSxeWmVCBFkQDDXQ3Cox2x
Threatray	4'898 similar samples on MalwareBazaar
TLSH	4FF23A143AECC12EF2AF4FB83DE150A55A71F3271202EE9A1E4D279E5953B408E1137B
Reporter	abuse_ch
Tags:	exe FormBook Yahoo

abuse_ch

Malspam distributing FormBook:

HELO: sonic310-25.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.186.206
From: Kim-K. Sally <kimsally@163.com>
Reply-To: kimsally@163.com
Subject: Fw: Please Check New Order Please Send ETD/ETA
Attachment: PO-HN210520-01.rar (contains "PO-HN210520-01.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-05-21 07:36:06 UTC

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7paegbuiamj6drt6hatfzhwdghztns5fxrdbezxakiuleieu336a._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270

4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d

72e42f1672249fbd4db20c17d5e29fba5838ef08cf0f6964d84ffc434ea46f27

7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6

9a4f09a04f936d38799360de7c824701e635ce56d7d014903a6934626c3042a0

b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c

c5b06fbd603308f84e5f80396dc5de515ec75a43825732c8a53265add22942c8

d34f87c6a070f4f73344156c16be7040f2932053aea2868e98b0fa4297113835

e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93

e99c6ae5a08e119d151f0c28b6b164d98ca6fd24d1d91b6f57bdf40f3d688c91

+ 4'888 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-wt5zc3x9ae/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses the VBS compiler for execution

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 6fa7d95ad6cc653b776a04af1abbb05050458bc9ef7ce3ab928d67615f9496c4

exe fbc04306880313e1c67e38265c9ec331f336cba5bc461266e05228b22094defc

(this sample)

Dropped by

MD5 3f95992db8dfd967a1d1f6851fb086ed

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 6fa7d95ad6cc653b776a04af1abbb05050458bc9ef7ce3ab928d67615f9496c4

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample