MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ca8077766ec7d0dfa82b3bdbaf9ca5d3410ba194398534fa4d4276f5bbba9c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	1ca8077766ec7d0dfa82b3bdbaf9ca5d3410ba194398534fa4d4276f5bbba9c8
SHA3-384 hash:	16ec11a950c938011f22dbc49d944a5350e03ef88be6ce0c7f70cc4515146870704a7e1c7efbb2845e855f1da20130d4
SHA1 hash:	490c166fdad39d38e26b26a2b963eb8a1a29d977
MD5 hash:	156a7572ffcba33e787b0f4491a62651
humanhash:	emma-ohio-equal-river
File name:	PL PI.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	582'656 bytes
First seen:	2020-07-29 07:26:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:i7epfsIyGwVTPqcP+w0+KqVU976ep7d9DFTk:0e+1BmwNKqVnebRFo
Threatray	5'211 similar samples on MalwareBazaar
TLSH	23C4B0BDB694E916C3FA9136E2EC1614CEFF8082916BF3056804D2BB59F33A2D91117D
Reporter	jarumlus
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34435/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Creating a file

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/401693

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ca8077766ec7d0dfa82b3bdbaf9ca5d3410ba194398534fa4d4276f5bbba9c8/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-29 07:28:07 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dsuao53g5r6q36ucwo63v6oklu2bboqziomfgt5e2qtw6w53vhea._file

Verdict:

malicious

Formbook

4bc2794576ebc0396a825e7b5f5fa26303e79972e7a2d68ded5cd68729288107

Formbook

65e71b2309d1e97113409d0308abd20da3abe300c9468752649fb366d27e1d44

Formbook

718524efef50f9e043f3db594db14aa1f5e3fba213539b5b219638d089937afe

Formbook

8247e9152d0b43ffa80b4c82843bb0903043841c8b9c855ff312461f6443faf4

Formbook

8e9f882576a66be70ed5bc204584037087f3bd53d13498126153fb7514f7dd7a

Formbook

95574ab20f094a30ec1f5d3cd6694e6afd0a5c4809e0151f5bd2b427bbbb33df

Formbook

a14dc3eb54f3876b3a2bfc6e0aa105c832fc5424130c43248995cceda6790133

Formbook

b7a360cf2a3651e663b82407d8aa940f66b4c7f9569fc445771d8bc17f727bef

Formbook

d4cca60154fcc667ada19dffbac16f84b51691a540daf850a766b91bd46544fe

Formbook

+ 5'201 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

evasion trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200729-gambkgnmae/

Behaviour

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

System policy modification

Drops file in Program Files directory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks whether UAC is enabled

Reads user/profile data of web browsers

Checks BIOS information in registry

Deletes itself

Adds policy Run key to start application

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/1ca8077766ec7d0dfa82b3bdbaf9ca5d3410ba194398534fa4d4276f5bbba9c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

cd334ee0f1d98309391b18dc5807d935e5bfe6ed822fdec85b0716ed85e21685

Formbook

exe 1ca8077766ec7d0dfa82b3bdbaf9ca5d3410ba194398534fa4d4276f5bbba9c8

(this sample)

Dropped by

MD5 d846c41fd9e5f301d960cf4affcdb689

Dropped by

SHA256 cd334ee0f1d98309391b18dc5807d935e5bfe6ed822fdec85b0716ed85e21685

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/34435/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample