MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03805a08ddc03ad125ae1566868e0ccde7965350d760dc212a224ab10520a2d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03805a08ddc03ad125ae1566868e0ccde7965350d760dc212a224ab10520a2d8
SHA3-384 hash: b7f0e4d3f5bd83babcf8493a58db019ed0506f38bbeb591143a2bd4b3bd580d95a0929f774d3c254463d62fb5bf2e451
SHA1 hash: d30b0cdd5cac5669813b1a4acff04c0fd6825666
MD5 hash: 8c079c5e340075d9fef5f5f48867eb42
humanhash: coffee-delaware-east-paris
File name:SecuriteInfo.com.Trojan.Win32.Save.a.7969.13473
Download: download sample
Signature Formbook
Create hunting rule
File size:698'880 bytes
First seen:2021-04-24 17:36:20 UTC
Last seen:2021-04-25 09:31:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:jPIrx8f0lG7HjNtmxLtis08URZtnt/X9MeMOj1c6E8wmZ5gJUz:jPm8fT7RcGi+1tM7K163mZ
Threatray 4'800 similar samples on MalwareBazaar
TLSH 44E4DF3232499FA4E47E93BA9018114097F1FD6BD326E69E7DE930ED1476F418362F22
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Save.a.7969.13473
Verdict:
Malicious activity
Analysis date:
2021-04-24 17:47:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1737fc23-446a-4480-8cdf-1ee21812e4e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144028/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.7969.13473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/696821
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03805a08ddc03ad125ae1566868e0ccde7965350d760dc212a224ab10520a2d8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-24 15:25:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
48
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aoafucg5ya5ncjnocvtindqmzxtzmu2q25qnyijkejflcbjaulma._file
Verdict:
malicious
Similar samples:
02b07b8086d052cca5b1f10089f93da604dfdf71d09f0370750f371e50bb0221
Formbook
494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535
Formbook
625140ec60caaae03895c18ad400c65f5d5b15f55c7a01eb419a4215d295a6ee
Formbook
70def7c02d96cb8aab6702e0d6f32c72d7fafbd2b883e09007de9fe204cd3f59
Formbook
a48a4f0d917d131353d46e23144550e83a39b26ab311287e4cdff30c009d5f66
Formbook
a64fb325fa611518c20644dfbe5728eb7767caeb63df08c4935dec5fc4ffe988
Formbook
bfa5c7ef6ac526946d60e2ebcb22c2f9e3ffeec8c9d42bc6d54a6d3373815034
Formbook
cccbd0b2d46adeb6d99413af4d5a4492cd530922a09724f04c8fb1e0c47d8326
Formbook
e069440cfd88504140f6315acc7174bd0dd961f070ccbf9b9b82c2e01af8113d
Formbook
fb17b85aa2aeaa59cb6db3e1c6eb68f83a570b5de3f10d3b09dd47a4aebdedea
Formbook
+ 4'790 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210424-hcs83b2bd6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://w����5 �@q[*��S=���m
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/b36238f5-f37b-4fd8-85e4-a2edd1871308/
SH256 hash:
03805a08ddc03ad125ae1566868e0ccde7965350d760dc212a224ab10520a2d8
MD5 hash:
8c079c5e340075d9fef5f5f48867eb42
SHA1 hash:
d30b0cdd5cac5669813b1a4acff04c0fd6825666
Link:
https://www.unpac.me/results/b36238f5-f37b-4fd8-85e4-a2edd1871308/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144028/

Comments