MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0618ad213a6ce0e3dcaa65f80e4379953c38f97dbeccad081b5decc1dce38849. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0618ad213a6ce0e3dcaa65f80e4379953c38f97dbeccad081b5decc1dce38849
SHA3-384 hash: cbe6e0f2259d0e6c6e8533ca67cc736399784bb7e46658de6ad88c951233ed34609ccd6e12482a93b5267ebdc1a35bb5
SHA1 hash: 36696bf0da5c4d6bb751018182648fc16e46d79a
MD5 hash: 99ec724b02038cb9afa938c61bf0c4d5
humanhash: sink-florida-grey-muppet
File name:inxx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:421'888 bytes
First seen:2021-01-12 22:45:01 UTC
Last seen:2021-01-13 01:01:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d78c203697582a336c7a0a9d7775a1b (5 x Formbook, 1 x RemcosRAT, 1 x AgentTesla)
ssdeep 12288:sXMXFUsgEz3KHuhwZdplDl56m8KEJopKXoaRn6m:s8XyxEz8pl56mdEJopI0m
Threatray 257 similar samples on MalwareBazaar
TLSH 38947D26B7D8F6AAD18144B97209FFA640513C34292EC843F7C17B5B38725EE9606F1B
Reporter Racco42
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111640/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57427.23016.5155.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/579620
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338854 Sample: inxx.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 80 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 2 other signatures 2->25 7 inxx.exe 1 2->7         started        process3 signatures4 27 Maps a DLL or memory area into another process 7->27 10 inxx.exe 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 WerFault.exe 24 9 10->14         started        file7 17 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->17 dropped
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0618ad213a6ce0e3dcaa65f80e4379953c38f97dbeccad081b5decc1dce38849/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-04 17:57:07 UTC
AV detection:
37 of 46 (80.43%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
1eb8543fda2c6d7e0bd287d692f8e63743729278f4f08b66cd00d987a68c4b7a
Formbook
20b2ef9bcd6d0a405c7c3e1f7fc2fe01851838451528faaeb22bb9694435002f
Formbook
53878a7b306a51e03f35297ea81e42c7aa079665928f8ca0d1f1732c0da82ffe
Formbook
6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3
Formbook
73872fa96dc607365e450f7dae21085f9091d511fb2a495ae55b2a3e812d9a34
Formbook
816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9
Formbook
a6c4cf62dc3f99465080ac5cd48a2f2f1423bb90d3d797ed27905225438d4f35
Formbook
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
Formbook
f1c600a86d9492512f5c80574f885bc0b2c0f058419f58b1c8800eb6e1502713
Formbook
f4c9a59f4506a95b56b29a2b7046cda3e59563399fddc4546b9dff35c4f4efe7
Formbook
+ 247 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210112-mx6n8bfkm6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.besthandstool.icu/uds2/
Unpacked files
SH256 hash:
0618ad213a6ce0e3dcaa65f80e4379953c38f97dbeccad081b5decc1dce38849
MD5 hash:
99ec724b02038cb9afa938c61bf0c4d5
SHA1 hash:
36696bf0da5c4d6bb751018182648fc16e46d79a
Link:
https://www.unpac.me/results/50c767ae-e3e0-4886-a89e-6bfaa2ff6d45/
SH256 hash:
4d61b7ecb6a8b877d09838cb802c0b61e7a8e054bf2ef28a409fdb42810486d4
MD5 hash:
07bde13f833523a789ec8272ef524d06
SHA1 hash:
c61a693f1f137f0f13c09273e79f65d37b395757
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/50c767ae-e3e0-4886-a89e-6bfaa2ff6d45/
SH256 hash:
96780ec9db13ea9c583ae3f70775d65cc521583642fcceb1cda226ac658d0fc4
MD5 hash:
fc848c305850f579606108594e4f5316
SHA1 hash:
7189d742820b68c8f3f5b84ac3f3c911535ca10a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/50c767ae-e3e0-4886-a89e-6bfaa2ff6d45/
Parent samples :
086d2a6e11da6e37ab46eb8d75c2eeb3d4aa825001be71e1e109b4578e5a321c
73d3092b1f9a4b51d169f0757e120c8bb1e7d0a650a83dc00ea0dac2204df55a
0618ad213a6ce0e3dcaa65f80e4379953c38f97dbeccad081b5decc1dce38849
449e62f0a80a15ae14d16333c553cc9900edb7f282626988beaad31eb5147700
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tnega
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0618ad213a6ce0e3dcaa65f80e4379953c38f97dbeccad081b5decc1dce38849

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0618ad213a6ce0e3dcaa65f80e4379953c38f97dbeccad081b5decc1dce38849

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111640/

Comments