MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02c0281a3070fbfa697f994301423a453091101f4c1c174360352e52e910642f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	02c0281a3070fbfa697f994301423a453091101f4c1c174360352e52e910642f
SHA3-384 hash:	c46642769c8796fc463e8cfe19d763cf16ae5c5b9a16168031d94df40c37cf15719fa6281f378e3a3ef3e62320d6ddaa
SHA1 hash:	47642e630582a869a82eda49ec05c5bd8f0ef14f
MD5 hash:	95c6a4ec5b01c8cf776e419b9caa33a7
humanhash:	pluto-virginia-oxygen-nine
File name:	SecuriteInfo.com.Trojan.Siggen11.59612.19330.21926
Download:	download sample
Signature	Formbook Create hunting rule
File size:	404'992 bytes
First seen:	2021-01-26 12:10:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:WoIHTM8hkaqTUv/4TMV+J0F8+g/qA+fhQ0xhkYBV4lWt7KkrHNkX6TKI5/DX85JQ:WoVehQske4oxKkrO6eI5/DM5Jjs
Threatray	3'637 similar samples on MalwareBazaar
TLSH	E784E1609EBF424BD43D0F719272D5305DE23F64A54B8A09F8FE629E02B77124946FCA
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

COSU6283389840.xlsx

Verdict:

Malicious activity

Analysis date:

2021-01-26 07:16:14 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/bd64a1e9-ca19-4173-aa0f-699fcad796e0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/113876/

Detection(s):

SecuriteInfo.com.Trojan.Siggen11.59612.19330.21926.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Connection attempt

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/590561

Signature

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/02c0281a3070fbfa697f994301423a453091101f4c1c174360352e52e910642f/

Threat name:

ByteCode-MSIL.Infostealer.Stelega

Status:

Malicious

First seen:

2021-01-26 07:27:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5

Formbook

46c3ab59682596a8e030fb0bad3d31c59e502f68b9f3c112309edd82d27513c3

Formbook

8cc59465e09b47aa8c0fa9f06198c9a2e8a94eec0b7bf7c7e63cf1f972f6e88a

Formbook

a026f6e6988f126a35bb044b7215fa5fb20a41a3b3bac722bfb7f53e670cc0f4

Formbook

c383b5258941145e0402f4d3be4b2f0c19dbcb842f9d2954e1acf8806a1b9800

Formbook

c58e2d245f99b53a5d4006c4f1daac8085b622eeab9958a576e7b82ae8e8380d

Formbook

cc26bac0f47c7d3853f301243a6cca755b3eebd571133ddbb247998caa8d8682

Formbook

cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748

Formbook

fc4a97c809b221101e5bd66497e1c058c8b33913c336a74183c7d7f7caedc803

Formbook

+ 3'627 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210126-hv6d1e4z9j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.bytecommunication.com/aky/

Unpacked files

SH256 hash:

0886cb189a2501ed59a473228a47d17fb6b4e29f810bf3c7e995c82ecba4fc69

MD5 hash:

2ce3b24c2b9360453d217ca2c117d66f

SHA1 hash:

fa4b14d19c125b17ab197706a27e8ebd709bae1b

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/d1ca1978-52ab-4e7e-a56b-fd6c98c83f93/

Parent samples :

c383b5258941145e0402f4d3be4b2f0c19dbcb842f9d2954e1acf8806a1b9800
fc4a97c809b221101e5bd66497e1c058c8b33913c336a74183c7d7f7caedc803
30dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
c58e2d245f99b53a5d4006c4f1daac8085b622eeab9958a576e7b82ae8e8380d
cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748
cc26bac0f47c7d3853f301243a6cca755b3eebd571133ddbb247998caa8d8682
02c0281a3070fbfa697f994301423a453091101f4c1c174360352e52e910642f
689ffe9ea264100eb4d4cac903a987565546976883721729f99ac40c049998e0
d8b5647390a41edddb0e0f20479a7723bf337ff86784335bb24decdb2a220a26
f730752f0004b350ae3feabc65cad92908079f4ced927cf320228621eec9bac8
6133a328e01379d6e45f954db62359ec9217b220a1e359253dd479bce7905b19

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/d1ca1978-52ab-4e7e-a56b-fd6c98c83f93/

SH256 hash:

49be38a7966e86556270c75680084367ebec8aee39861d1d63f383bb3acd6cb4

MD5 hash:

75fcd409501dc47b18c7c856a37465b8

SHA1 hash:

22cd4b070383714b49118176490d28dd99d83c15

Link:

https://www.unpac.me/results/d1ca1978-52ab-4e7e-a56b-fd6c98c83f93/

SH256 hash:

02c0281a3070fbfa697f994301423a453091101f4c1c174360352e52e910642f

MD5 hash:

95c6a4ec5b01c8cf776e419b9caa33a7

SHA1 hash:

47642e630582a869a82eda49ec05c5bd8f0ef14f

Link:

https://www.unpac.me/results/d1ca1978-52ab-4e7e-a56b-fd6c98c83f93/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02c0281a3070fbfa697f994301423a453091101f4c1c174360352e52e910642f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 02c0281a3070fbfa697f994301423a453091101f4c1c174360352e52e910642f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/978566/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/113876/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample