MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29247c960e16e376148704241453b7a008a62c050e9d11b2bba111452acb7fa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29247c960e16e376148704241453b7a008a62c050e9d11b2bba111452acb7fa3
SHA3-384 hash: 18ce6e6ecbed25f461b01ccbe95c46b6c2897c05e3193e32f9d0a73584f56449ffc5b3627597b7f9186a513430d7d251
SHA1 hash: f80705ee98264bc2db9cec9284676d895484bc95
MD5 hash: a4b6c5e96b85a855e798cf469f91c66b
humanhash: jig-twenty-quiet-kitten
File name:a4b6c5e96b85a855e798cf469f91c66b.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:355'414 bytes
First seen:2020-06-04 06:27:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 6144:T6dWe44Tk57DpzH9XD5WAiF8kMDM8AHu6R+5bGOw2B0caTjHZEh3bB1UgWgvmfVE:t4k57DppJy8k58zw28jyh3bcgWJtE
Threatray 5'305 similar samples on MalwareBazaar
TLSH D074135027D19063F1D8ABF10A63D4816735F5228BE5968F0FE42EFDAD32191E71708B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.43030161.1771.14598.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Delikle
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 05:38:30 UTC
AV detection:
16 of 31 (51.61%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=feshzfqoc3rxmfehaqsbiu5xuaekmlafb2ordmv3ueiukkwlp6rq._file
Verdict:
malicious
Similar samples:
06cedd3e446db41cd53877ce7b7c24c31bc034260d7de377c01bb06e1ea9add0
Formbook
0e661b488a5571afb39ddf31bda089f7c032ed0a077501c3b7c8a31a0a6442d6
Formbook
52ea3c1f51eb3a8920e2895ebe7d54ed9b010407775434da9c47fdeceae7af84
Formbook
71143c4b78e1626ce16fc67c88e5237afe61c74ed256712f78aea97b79c5e890
Formbook
7af08bbd907a68770548426050115d6b0aeba599e0c3bd03c03f5ef8268ceb11
Formbook
8a1f8815b2d54f7171358001bec7be97d87660a29d8bce9d247da901b012f594
Formbook
a9f95f4853acbd95142dba6914c2c87ad89d1c1db87ae6ea95ada23d63635c9d
Formbook
b1d9adc8ee80f24960fb84adbb029695e49763faecbf559f92410d44bf28b0d3
Formbook
d4405060b30fab298c2747fc58ec301dfa160be2df3e335a78900fac044a2493
Formbook
d789a675b16eca7a3d78fffd03d6dfc18a396d6eac4da2472b99700ff1cb09c7
Formbook
+ 5'295 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-28l6hfjxbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sucxet.com/kx7/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 29247c960e16e376148704241453b7a008a62c050e9d11b2bba111452acb7fa3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/375604/
  
Delivery method
Distributed via web download

Comments