MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02c69531b427dfcd3727b5cea0b1bd11463901daa643165d606feb92e138587c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	02c69531b427dfcd3727b5cea0b1bd11463901daa643165d606feb92e138587c
SHA3-384 hash:	cae0b3bc787825deb0733eca1c543f98a916e9b9fb83a2850c2b71d7fc51767db0461e7267fef74fa7424061ea9b8114
SHA1 hash:	c87974982ba57e58f947b9fba9ff2ce4cc198e33
MD5 hash:	2ee2e9b77dd7bd3670e2fae815815957
humanhash:	triple-summer-artist-minnesota
File name:	9b48a29dd4886ab17a4efdd541e43f48
Download:	download sample
Signature	Formbook Create hunting rule
File size:	406'016 bytes
First seen:	2020-11-17 12:24:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5b6fd9945877b7e9d67b9e475c6d6ddf (16 x AgentTesla, 15 x AsyncRAT, 10 x Formbook)
ssdeep	6144:YjqXT2NoXglR2TuaLNT73AVAOm/te0m53mifb2vWm1vWyXRisuckGiz57eX1lqNI:eqXT2GXHTuuGwKmDAyXRikrE141lkr0n
Threatray	2'945 similar samples on MalwareBazaar
TLSH	BD84E11870E2C433D0B9103459C89763987579322BA5B8BBF7984B2D9F387D29772B27
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Generic-9791231-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Possible injection to a system process

Forced shutdown of a system process

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02c69531b427dfcd3727b5cea0b1bd11463901daa643165d606feb92e138587c/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-11-17 12:30:50 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

6308def230fca10ddd70426bb31764afd2564530a7ff775cf28e5e958c5bd37a

Formbook

765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037

Formbook

9266cbea03c00bd09e7bf997dee6635840bc2383a0f60c94a2e03b636ec23c84

Formbook

a998850fc7940055baac6f61dde2d0e29836c9386ac87555549eeaa1a9998401

Formbook

ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d

Formbook

af61853ca27001c0721463fce68bb033a9084e9fcd0c6ced3acd7fc3ea0e957a

Formbook

d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c

Formbook

eacd132f69b64ef7a47c959fd92f50343be23e5768f0476c665870f5de4f89ee

Formbook

fa1c05c7ea1e94e08982755ca1d13051a6cd334fa3e93aa98b5bcc2ebb910f59

Formbook

+ 2'935 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201117-s1342jw9cs/

Unpacked files

SH256 hash:

02c69531b427dfcd3727b5cea0b1bd11463901daa643165d606feb92e138587c

MD5 hash:

2ee2e9b77dd7bd3670e2fae815815957

SHA1 hash:

c87974982ba57e58f947b9fba9ff2ce4cc198e33

Link:

https://www.unpac.me/results/e5d6bfe2-4a2d-4549-b76b-650fb16fbc47/

SH256 hash:

897fc7b54d628885c17c53b9ded364a8dfa22a207824a24503cb5cd1a8b33e3a

MD5 hash:

8c36c9bb74e3718275b27896e585e727

SHA1 hash:

08c7da0b01efde09a524dd4df8335a6b41a9bfd2

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/e5d6bfe2-4a2d-4549-b76b-650fb16fbc47/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample