MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0
SHA3-384 hash:	0ce880be429836079cc4b700414beb0f8f1df26641f94af1a2e952d163eb6aa5116bfad7b6346dd80376bc836ddbf661
SHA1 hash:	8ca8dd2b7dd9d54e16edd70a9cfcf63cebe5af88
MD5 hash:	ec8393ea1aa4437f397563a7f66178d6
humanhash:	william-vegan-mountain-salami
File name:	ec8393ea1aa4437f397563a7f66178d6.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	266'752 bytes
First seen:	2020-06-17 12:49:26 UTC
Last seen:	2020-06-17 13:42:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:vRNhDkHu/8Umc9p3LILaZTa3iU6RCM4ZlygMjnfGkDH/UreFiBXILGoISjTNp2y9:pMHu/8UmcoLaZCqRCLZHMjb8SNvrBmI
Threatray	2'241 similar samples on MalwareBazaar
TLSH	6E44D008935D4A01C3DCD7BDEA9B1516CF328B235303D7D984A9E9F87C6A7F24A50A1E
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

87

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/19535/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WEZ.12363.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-17 13:35:30 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4jz5qldyfia4hcgmmgpgqmv7wqzqd5bqrcchkg4tsmtcgax4qtaa._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

0638b1723d45eb9fbbf4db0428aeb59b08da4082779c361ae881445ef35bb6d4

0abe72d915f50b2a21fc3cafc52152db81bef2a16be4ccde68e64942bf927af1

28ebdc57f4de0a5f04d5ac0c8f17996d257df911de9900c3e6db1f1e213383b7

7095eec286427d0c168ef01a9d20e741032194cd9e4fb607c02a55c0a1df29c5

8cd14212205658092f91a376a85fb70802200671ea0cbc74b73f1fcaf0f88ddb

92574e92ed7461639393ef09258609b637fc5e68341c5fe13e460f2dff705d0d

97d8ae62cb751e857b04d9eaa68ee2acce3d7243009bdb04639a729cdfc7cbf3

b5ee70ba14a2bcb9936bd64d99ce7b51785ba328b16a0be49d47c10cba17980c

d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb

dc390cfb0419c5a93c339e395061b5ed5d9d7b08995680552d409c8f8302a109

+ 2'231 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

persistence spyware evasion trojan stealer family:formbook

Link:

https://tria.ge/reports/200624-kkz89y3856/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Enumerates system info in registry

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Reads user/profile data of web browsers

Adds Run entry to policy start application

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/390051/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/19535/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample