MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7ead8266de17cda17f2c1cf6b146c616a092f2a4d2e59cf80e2815976c5932d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	c7ead8266de17cda17f2c1cf6b146c616a092f2a4d2e59cf80e2815976c5932d
SHA3-384 hash:	6a203c0cd010d8ec8dd749d0689d32a0bc1394954d6d836676fbcf829f36dd545a38f2805b1bdb415f341d85d3d673f4
SHA1 hash:	e1ef338882f6e76dae984cefea50d0a9d3182b33
MD5 hash:	2178c797e62315a89eee02a79272e8d7
humanhash:	wolfram-network-moon-quiet
File name:	SecuriteInfo.com.Artemis2178C797E623.12009
Download:	download sample
Signature	Formbook Create hunting rule
File size:	640'000 bytes
First seen:	2020-08-03 12:42:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	6144:5HAXGxZdSx+HTyzJ4rl8oVX76Zd48Y+ff+9vnNmx4Z9HCnv4PF4j6CuSgPp5AMwE:5FPLPt7UG4fGnNHcnv34R5AMcoV
Threatray	2'339 similar samples on MalwareBazaar
TLSH	98D46C523985DC62C2A76B33CC8FC21403B9BD1199D2EA1AB5DA73ED0612BF7DC055CA
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

66

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/37799/

Detection(s):

SecuriteInfo.com.Artemis2178C797E623.12009.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/407872

Signature

Binary contains a suspicious time stamp

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/c7ead8266de17cda17f2c1cf6b146c616a092f2a4d2e59cf80e2815976c5932d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-03 11:58:11 UTC

AV detection:

35 of 48 (72.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y7vnqjtn4f6nuf7syhhwwfdmmfvaslzkjuxftt4a4kavs5wfsmwq._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

4951d233fb87fd6036e0baadf6b91ceb91ebe5d61fc048a27949949c8476b82d

77a42c231f074c0437c6e7ee53604e857f9496fcc17aeddfe987329cc748d353

7ef397f325081c95cf955982b820684a4f506bfc12d281b6423ca8a4d0140b93

8247e9152d0b43ffa80b4c82843bb0903043841c8b9c855ff312461f6443faf4

896745863d78a02b1cf02565dbeb3bca4bfd156a1079d28c07ddfb2d8b9fc665

8e395f386862d95d1a2837a56ffac8ec6a8dacd3e61fac1912f1960ada8c5abd

a0086dfee2dba4d6a0adab05e848cfbb9755f68be7adef3ff35ff9740e5a1c2e

a14dc3eb54f3876b3a2bfc6e0aa105c832fc5424130c43248995cceda6790133

cde5b9157162c55139f508884d7be6be903acc9d85842a667c1b2ef04a1ecd49

dee1fa115a3e06310b958baca7bf709144f770de027ab3c615f6937b7544cd75

+ 2'329 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200803-4bf6lc9t1e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NJRat

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c7ead8266de17cda17f2c1cf6b146c616a092f2a4d2e59cf80e2815976c5932d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe c7ead8266de17cda17f2c1cf6b146c616a092f2a4d2e59cf80e2815976c5932d

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/37799/

URLhaus

https://urlhaus.abuse.ch/url/423753/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample