MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b
SHA3-384 hash:	16c8aaf4ba1b45ce8f0d0786ce1e4fff4dc357e1906a12721bf0bd67e40a73edab73bef42d93ba992d6a681081447a8b
SHA1 hash:	86904ffb2bdf8fa3e864ab50471bc8086e720999
MD5 hash:	8ab3e8276a19c042ec7a789e86462aea
humanhash:	beer-ack-moon-harry
File name:	oldmama.m83.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	183'296 bytes
First seen:	2020-07-10 11:02:46 UTC
Last seen:	2020-10-25 08:08:09 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:BAaJ0Z+jrPtW7VSSyxGzWHIavtwBztW7QQuElNwdn7bT82:BAt2ZAMYzWoDBztWnZlNw5
Threatray	5'070 similar samples on MalwareBazaar
TLSH	A204AE32D641C031E2B242B5B67E1B7B883D0E347254A4EAE3E51AE16EF05A5F52D31F
Reporter	oppimaniac
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/24360/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Win.Malware.Formbook-7399661-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Creating a window

Setting browser functions hooks

Possible injection to a system process

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2020-07-10 11:04:07 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=anoc7jozciqc3u2oqqilcsscwdnqa7bl5dwydg54irhzqgcjp5nq._file

Verdict:

malicious

Label(s):

netwirerc

FormBook

3d77c2490675a0f4e86f55ac8751a9a1912cd56bd168d9ae6c110cc385a65872

FormBook

3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b

FormBook

498fbde70a7375ef095b51ad4ad72798d26a2d28dd82e155e9afc31e95773bea

FormBook

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

FormBook

5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35

FormBook

5f6ecbe9757644eb46ceaef0b9e8354e63bab83b29bf47f4812c84beb08acb4f

FormBook

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

FormBook

76539c09f989d3cc938d6984f9ee8b6680fe2416822d63bf53a1712aaf9b695f

FormBook

d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba

FormBook

+ 5'060 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

spyware evasion trojan stealer family:formbook persistence

Link:

https://tria.ge/reports/200710-kjt146avzj/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

Deletes itself

Reads user/profile data of web browsers

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/24360/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample