MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03c495ebfcd620a041e0e06a8f25150e27ad5445f31d1fcd502c1845ae1ad87b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03c495ebfcd620a041e0e06a8f25150e27ad5445f31d1fcd502c1845ae1ad87b
SHA3-384 hash: 666002df08927f40df9dc047c6dc787bda937921497305ecc7180ae4b18457e071896b5ae11b0d0b3b3a044324eeab3d
SHA1 hash: e3d66c939fcc06b3d47d948e102ad2cf10983893
MD5 hash: 215f05bc90e811d09c97e6bec2af4ac7
humanhash: beer-nevada-oregon-early
File name:SecuriteInfo.com.Artemis215F05BC90E8.13830
Download: download sample
Signature FormBook
Create hunting rule
File size:1'068'032 bytes
First seen:2020-11-24 11:14:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:FUYnpwLmvsf1CIMPk2ni3WueHjD8+NiyKBwm:F9omm1XMPdnduSJiy
Threatray 3'035 similar samples on MalwareBazaar
TLSH D535D07AB248AF04E5BD533A88F4182057F6EC039662C52E7DED789D1FA0BEC4960747
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/545919
Signature
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03c495ebfcd620a041e0e06a8f25150e27ad5445f31d1fcd502c1845ae1ad87b/
Threat name:
ByteCode-MSIL.Spyware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 05:02:20 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=apcjl2742yqkaqpa4bvi6jivbyt22vcf6mor7tkqfqmellq23b5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
201e2fd48dfdd75ee8abf1ad910deb3ffa1784ae0229fe7588b2b54119409aee
FormBook
23cb1d198cca93539a5bdbf18ce44ae3692be0ae968b5fe55e3794ec481aa1cf
FormBook
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
FormBook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
FormBook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
FormBook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
FormBook
e193e31155334803c7114e1f578689e26cda3faf7539fdb15d19f2f60e8379c1
FormBook
e1e0a4fba3b1dc2e64ac088f5839fe75832cd9a824fd9f0f5e043821d9d18b0c
FormBook
ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80
FormBook
fc6c24e17bd06e27dcc1ac019e4080d4a1a2f10459f74c17b9bb19fb8ba6e442
FormBook
+ 3'025 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201124-16p6wy49px/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.wasteofspaceclearance.com/yc9/
Unpacked files
SH256 hash:
03c495ebfcd620a041e0e06a8f25150e27ad5445f31d1fcd502c1845ae1ad87b
MD5 hash:
215f05bc90e811d09c97e6bec2af4ac7
SHA1 hash:
e3d66c939fcc06b3d47d948e102ad2cf10983893
Link:
https://www.unpac.me/results/48f67c84-b73d-43aa-9d73-c425ff39bef3/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/48f67c84-b73d-43aa-9d73-c425ff39bef3/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/48f67c84-b73d-43aa-9d73-c425ff39bef3/
SH256 hash:
dcc01364f8e9ec4517baec3518219fee8ea5db8352024393f8ea2914922bce24
MD5 hash:
2d9ab09ff04bb132d4380fe02d15b4d8
SHA1 hash:
b6d2fea02216c5df3f7ac1a9985e404a331ab495
Link:
https://www.unpac.me/results/48f67c84-b73d-43aa-9d73-c425ff39bef3/
SH256 hash:
bed5eae2d72355683ddea38df82acd135aa235f88fc2d0e9a8a2af532ba73fca
MD5 hash:
3f7f5b7e07686696dac20b0e156cdc1d
SHA1 hash:
ca0566d969b74dfadd10e6dd0b5f61e45a68c3a2
Link:
https://www.unpac.me/results/48f67c84-b73d-43aa-9d73-c425ff39bef3/
SH256 hash:
f5d96e2e1c1feb865f399a36ced62be02c14a7c848e894811b1849ee9cff90f0
MD5 hash:
55e3d42497f2afc14f6bdd712f3a10fd
SHA1 hash:
cb09635db9a8c2eda4836b695a2a90e0c15be04f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/48f67c84-b73d-43aa-9d73-c425ff39bef3/
Parent samples :
e8ee7639d6ed8ac99078c59880ffbc783644c6198e925d7344542e4806379c04
06c53a780f67985794c7652bfcdbda9309d7a9b707578fda7dfc8ceb5d7bc9c7
03c495ebfcd620a041e0e06a8f25150e27ad5445f31d1fcd502c1845ae1ad87b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03c495ebfcd620a041e0e06a8f25150e27ad5445f31d1fcd502c1845ae1ad87b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments