MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed21049192c51ab75191b0791aa7d746b86fc3bca997cea24726399a45a734cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	ed21049192c51ab75191b0791aa7d746b86fc3bca997cea24726399a45a734cd
SHA3-384 hash:	a8064c23bbd664b89ef12b1b41aef51940a66485683afc612e6ff34d83939db524375f2ef50e6e4be7a6a22d8f1e102b
SHA1 hash:	a56ccb98563a77f0d30497a77d09224105bd5cbb
MD5 hash:	d4a9a1e745f07ccadeeed650f2e2969b
humanhash:	oklahoma-charlie-wyoming-tango
File name:	CAII000080521.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	340'480 bytes
First seen:	2020-06-15 14:30:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:DEYjFrZnsggAPjuY1MSelLMi7qLNK1YzXE7oqYE9+U+0VdojWqzxh/uR:D5j5ZnRJPjuY1MKXLihsf0PsWqjWR
Threatray	5'432 similar samples on MalwareBazaar
TLSH	4474AD3897687E3BCABE433CE549455CE7F1D267068ED78AAC4220E9C746352F42364B
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/8205/

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-06-15 10:16:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

3

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5uqqjemsyunloumrwb4rvj6xi24g7q54vgl45ishey4zurnhgtgq._file

Verdict:

malicious

Similar samples:

03e2fedf787303ddbb21c7d1850f7a97dccf1bc5ccc3846d37d827e498263ab1

2ff5f726080125732c91296d7bce8b496e5d50d2fb8b3d028f0f41990565015e

58f28dd7cc2c257f5ac8dec9111d8cf8942e1cf62bb8334f4922e4b124d4eab9

67c174f4fdeb4a63472a22bb21de9d1b472da3521dcfa4ba8b285e25e1f1fa26

7d65c5f831361d3e7441c49dfe9e5a286c1b142fa1315c3460e144b240a2afaa

8e40f99cc08408c1ee5a1ec56357f23d993e29a6c4e5751a6fad33e7c9e222e1

a601e4a16b16f0eacedc679e3f367d990c0cc913470d138b4d3e6d3ba156f7b7

bf58aecacc268c49d707512236a42c80cf096b24850c3096eb056f662ecbe2e3

cbbc3af13a3cc33ff5dffb137c7276dd246f9b9a696de51d6858461e986d4ebd

ec3275973764fa95e7fd95628318c58c9731eeaf4a530f80e954330e8de52e6f

+ 5'422 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-xgg7m4zrpx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Maps connected drives based on registry

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.allixanes.com/b7001/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/8205/

Cape

Cape

https://www.capesandbox.com/analysis/8199/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample