MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c0b9f69c227d86700be2a4dc67460fa30e46610e444a7dbe143a9bc5bda1297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c0b9f69c227d86700be2a4dc67460fa30e46610e444a7dbe143a9bc5bda1297
SHA3-384 hash: 8e56e2458dd0b3e00b7e065a3478e3b44b86f4775874056743e8c82c75842a9ee937cc1294bad7930fa54ea1f37486ac
SHA1 hash: fc42a2aed3f752fbd0ffbf866b41f59c38f35cd6
MD5 hash: f60881f26cd9554e3d2075d9911b671b
humanhash: comet-washington-low-princess
File name:f60881f26cd9554e3d2075d9911b671b.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:312'832 bytes
First seen:2020-05-25 15:28:27 UTC
Last seen:2020-05-25 16:46:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:+dAODp8PEzCSSbHfq/Qx3G4q5DkcPGUhGuGuCJSqhNiAUSztL4:+dn8PE237x3GL5DkcBGfJSqhJlztL
Threatray 5'089 similar samples on MalwareBazaar
TLSH 2C64E0502FDC3FE4EC794BF058F1980097BEE0671616E2585DCA16C92969FC23AD4AE3
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.299.31133.28475.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 02:27:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1397dc48d497802e469f2dc1509622cc2aa0382dfe63011767eef0c5cb24e6af
Formbook
31f02d35e3e941b42298936bd026b39a5d682825bc4b4277945f9f0143617931
Formbook
4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568
Formbook
60b16ec5588cc16f4513cd9c999ec223894cef95f7b48c5b180bfcf3852d1521
Formbook
65cd6807556189c85811f11fb91a981749e7d9760e5a72c0845dd6b8ff93a8f9
Formbook
66812d316b85e20248c4af1f141a372ec1e434d951f7c6fc51402ab23da87845
Formbook
773fbca16ec67d4820654e39aaa65645f8608a8f7186f12b5ed62498ff1334c6
Formbook
89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b
Formbook
bb0c96dd4021c9d4f7b7f85ce5372ef74f7ba8c1a257d2c152db052020219799
Formbook
e8172cbc3806d750d00a5619e618ffc068b9d8247b5f4da507642e70e32ac3f9
Formbook
+ 5'079 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-4z66lje9ne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.yofdyk.com/q5e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8c0b9f69c227d86700be2a4dc67460fa30e46610e444a7dbe143a9bc5bda1297

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments