MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 047ff786f8bdd92bcf070f006d07ee6ca9bf63bd08213ec6b8807486c8b3f016. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	047ff786f8bdd92bcf070f006d07ee6ca9bf63bd08213ec6b8807486c8b3f016
SHA3-384 hash:	29fbb603a51a5ae3762bd534e8a9caba64fff41376a570bc44ca1dc00ccef0fe34bba84c54876399093f43de3cc91994
SHA1 hash:	5baee3e1e2c3236eaa382a46f7919194626b4604
MD5 hash:	eec0d052347c5d97f55d50a91c3a6c2d
humanhash:	rugby-dakota-bluebird-grey
File name:	SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@a0@J74i.5037
Download:	download sample
Signature	FormBook Create hunting rule
File size:	255'488 bytes
First seen:	2020-07-13 02:07:42 UTC
Last seen:	2020-07-13 02:35:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:s0EGQFKmBXh5mnr+7bN64aDPUCdcxJ0pit1NaIVOn/RnhUB:sM/AY4aTHdcxJIirooaNhUB
Threatray	5'110 similar samples on MalwareBazaar
TLSH	1744124059AA1BA4EE095AF07D520741C3396B028932B7DA53EF376EDE3A3144762FF4
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/24928/

Detection(s):

SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@a0@J74i.5037.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Launching cmd.exe command interpreter

Deleting a system file

Unauthorized injection to a system process

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/047ff786f8bdd92bcf070f006d07ee6ca9bf63bd08213ec6b8807486c8b3f016/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-13 00:50:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

4

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ar77pbxyxxmsxtyhb4ag2b7onsu36y55baqt5rvyqb2insft6ala._file

Verdict:

malicious

Similar samples:

1423f45cfa5d62d8910075b3cc15855237e0a0bc2e2c18a49b94f0cc8d592602

2d4056fad1be6f7748d20dfac087ba9161d7555f0a5f021d462d226e89787ce7

4d5c7e3ebcae0ff2419bc76ff30b7681cf9a11751834ee0dcc5868a48f9c30b3

4e8ddcec5c75934d0418b3f5f66c20925bd67b6acda0bb0c3a0ee684865a6e4b

64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146

727a3e431ab50b5cf1cebca1642981bfc29099d4a65f233d0a0f606a624b7272

80fa061deb733b05912954a6e3400de75254f23e5befab4616ff978be37b6f9f

9c7b335e031c3c2fde1e7d75cbe08bd0951b0cb8a327fa4bd3e54c4c59d32936

b346093a964f1c0917debeeb63e70117a1a863714cb977c7f436ed2448aaeab6

b5cc8b2d62e6c2d6a9bf080c4c41e19295af7dae7230a63b7f6ad8def08e7ea2

+ 5'100 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200713-q1nlp972c2/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Adds Run entry to policy start application

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/24928/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample