MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 081e0a3ba699ed2ecdca059eb30de07eff5226c33ae0f5eabb78a6b8577b2685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	081e0a3ba699ed2ecdca059eb30de07eff5226c33ae0f5eabb78a6b8577b2685
SHA3-384 hash:	f08e85f7ca3bc513bb3a498d352ffd9c4b33f8a894ef73038be3132d8328fd5e27159936b0b3a6d1634d624be9b33ca2
SHA1 hash:	073c736af4436a94fa33b2cc611aac24aee53bb7
MD5 hash:	0f7947205ffb11e967ab66637eba87a8
humanhash:	tennessee-romeo-mississippi-gee
File name:	SecuriteInfo.com.Trojan.PackedNET.405.6036.4041
Download:	download sample
Signature	Formbook Create hunting rule
File size:	841'728 bytes
First seen:	2020-12-01 23:06:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:FlHOGPEgtMBx+6Kf8i4GZy42l5txw/sZS:FlHOybtgx+V/IfZxw/
Threatray	3'080 similar samples on MalwareBazaar
TLSH	0905F13122B89D54D6BD0FFA16B421400FA5666B557DE30DDA8020CF2EB2BD08E6FB57
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/106304/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.405.6036.4041.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Launching cmd.exe command interpreter

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/553101

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/081e0a3ba699ed2ecdca059eb30de07eff5226c33ae0f5eabb78a6b8577b2685/

Threat name:

ByteCode-MSIL.Trojan.MassLogger

Status:

Malicious

First seen:

2020-12-01 19:48:05 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

1fc8a3262a1c12fd2ec5ffded3e5b8f83a14ebcbb1313e73900534ae42cc1ef8

Formbook

3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33

Formbook

48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114

Formbook

4cb957166b87af52d625fe0ae926e024db9cb6722d1cb5ade20bbf1b8ddaac34

Formbook

5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe

Formbook

787e10aed324cae24ab5136f95deb95efe8715a6bd7ced09028b2ee21d228a5e

Formbook

82c53ee74253581efe369c99373d6c978b3b9b799eb04de6c4eb59d2825e8ee2

Formbook

8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c

Formbook

d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c

Formbook

+ 3'070 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201201-p2y3ls6946/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.anuschkaleathers.com/zsh/

Unpacked files

SH256 hash:

081e0a3ba699ed2ecdca059eb30de07eff5226c33ae0f5eabb78a6b8577b2685

MD5 hash:

0f7947205ffb11e967ab66637eba87a8

SHA1 hash:

073c736af4436a94fa33b2cc611aac24aee53bb7

Link:

https://www.unpac.me/results/c309dcc4-69e3-4043-a491-ab03bcd3084e/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/c309dcc4-69e3-4043-a491-ab03bcd3084e/

SH256 hash:

3cdc2c15da846bc822d8da80f53d3e660d754a0830aba9da7ef37d3b6b50a60b

MD5 hash:

08dcb1961e9b7f40981e4ccf209a8638

SHA1 hash:

bc5601e2d5652707d6a45dcfc1705c85a896ba8c

Link:

https://www.unpac.me/results/c309dcc4-69e3-4043-a491-ab03bcd3084e/

SH256 hash:

9c59c66cbda303f3a9f327c943c2db9ff00b8e8a44fe0204ebd0ce441a4e1d1f

MD5 hash:

3b1f449326c3472c63a26408c3fa1f25

SHA1 hash:

65ed605b1b8990dcea698a1dbcc911781a67e0d1

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/c309dcc4-69e3-4043-a491-ab03bcd3084e/

Parent samples :

081e0a3ba699ed2ecdca059eb30de07eff5226c33ae0f5eabb78a6b8577b2685
1e978aeca824414a2dc136c53170762a358a51490786861f1f44784b5ff300db

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/081e0a3ba699ed2ecdca059eb30de07eff5226c33ae0f5eabb78a6b8577b2685

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 081e0a3ba699ed2ecdca059eb30de07eff5226c33ae0f5eabb78a6b8577b2685

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/880402/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/106304/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample