MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaf7a834529623fa776d9574d7026a9a40148fec3b8d598e8e8dfced91973760. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	aaf7a834529623fa776d9574d7026a9a40148fec3b8d598e8e8dfced91973760
SHA3-384 hash:	8ef8fe611a3b350000b26c5b34b4ba07c415b6d7411c4d65d6e5c823092c636b374007a511126cbee7a8155c490c3cf1
SHA1 hash:	8253f2dd6f299d6940f8a5b21388eae11fbdff55
MD5 hash:	55efd44f3444d6dcd463f231d1e39a17
humanhash:	tennis-thirteen-green-fifteen
File name:	SecuriteInfo.com.Generic.mg.55efd44f3444d6dc.2164
Download:	download sample
Signature	Formbook Create hunting rule
File size:	773'632 bytes
First seen:	2020-08-12 12:05:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ca8a968818883f4b47dacd6943e1ee04 (3 x AgentTesla, 2 x Loki, 1 x Formbook)
ssdeep	12288:X13XOoKnE7J93PUtFiMx56Vnh+23dOEhYkvEPl0E0TCCEmYI4gMnAm4tSUc/z:Re87J98ii6NY+9gN1JgMn8SP7
Threatray	5'153 similar samples on MalwareBazaar
TLSH	80F4BE22F3D05933CD67163D9C0B9774AC39BE51EA28A9862BF41C4C8F3968539392D7
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/44096/

Detection(s):

SecuriteInfo.com.Generic.mg.55efd44f3444d6dc.2164.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Sending a UDP request

DNS request

Sending an HTTP GET request

Setting browser functions hooks

Forced shutdown of a system process

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/422399

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/aaf7a834529623fa776d9574d7026a9a40148fec3b8d598e8e8dfced91973760/

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-08-12 10:32:44 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be

3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270

3d77c2490675a0f4e86f55ac8751a9a1912cd56bd168d9ae6c110cc385a65872

487d192d19c37c9d4841141d3a41248b70400caa0cdcaed3d94ac7d4f3782222

68b0e57c728398876c4a835e93ff8e5fe6e90d05175a8815ac17b8a4ba4c68cc

7378560e6a7dd993634e25ba4c6f301172c742d82c7ae0fd8c71c986fe4af5ba

95782c62fb59f497cbcc62927b212edc970d9b70c1f551b2e6587ec196fe1bf6

c8b1244a4aa61a5efc1d6ced3ae0407111574eda81cbe9f01f269e5fae9bf4b5

e98090d4d1ad51575355593c7bad1c5481d377ea52c4d726ae5b8ce6b09b4f10

fd77bda3f991235956974723013237b8dd8ed7f661dfad976d2fde68804c55a7

+ 5'143 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200812-hbabb5em12/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.govaj.com/w1g/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aaf7a834529623fa776d9574d7026a9a40148fec3b8d598e8e8dfced91973760

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe aaf7a834529623fa776d9574d7026a9a40148fec3b8d598e8e8dfced91973760

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/44096/

URLhaus

https://urlhaus.abuse.ch/url/430047/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample