MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0db69eb6654d1090cb17ab58537a7304e2c269613c0edabf123cf230d289db73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0db69eb6654d1090cb17ab58537a7304e2c269613c0edabf123cf230d289db73
SHA3-384 hash: 797178b422f0c1a3e0794c893aff27592bfa39a7438c56e72fa62118cfeca1d7d01684297c73324acaba9059b50f2b3f
SHA1 hash: e0d7b4c7a55bbcb9276efbc2d3ece52eba319aa0
MD5 hash: 584c37ad56ab2066725cf107d580ba89
humanhash: eight-kilo-magazine-carbon
File name:SecuriteInfo.com.BehavesLike.Win32.Generic.jc.19823
Download: download sample
Signature Formbook
Create hunting rule
File size:685'056 bytes
First seen:2021-02-12 11:00:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:wJP+4oIxbEZi9701LDnr19G+rIY1eI6ZZ3ktXY9NJlbaER2QIBC:wgpIxoZHrHrQI6ZZ0tXGN3RsC
Threatray 3'741 similar samples on MalwareBazaar
TLSH FFE4E0351B88FF14E1BD5B7BC8B09410D3FDD8029A26C72EAEF439CC58B5F98A561642
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 2027376.xlsx
Verdict:
Malicious activity
Analysis date:
2021-02-12 07:10:12 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/67201d93-fead-43ba-9864-b0ab857a6a04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116915/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.jc.19823.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/606704
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0db69eb6654d1090cb17ab58537a7304e2c269613c0edabf123cf230d289db73/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-12 08:20:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00f87217db6ce0a8cdff2047e69f74165e70f3a3a2132d0465217bf27e557776
Formbook
11ed6cc2222d5e0db7cc26544b9acf7370f2dab930e73a7268d388d73674b776
Formbook
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
Formbook
187785c7830aff67dd03a3bf3a067e9b760cb76f7367ee42c8e4b9c92b78d2e2
Formbook
5c262eeac56f9ceeb0b44f0b0c46535aa23c3f1317d2c03148648342854fb98c
Formbook
6c8be961f99ab4d726a615af542101a2f6bd871ce8a81e74f8520365801f9246
Formbook
9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f
Formbook
b03882c148ef48dc1d78f6635b795e816bde09b783221cc4cd05040839144fd0
Formbook
bbfe5eaa0138f51710292488a384e4f6dcb65a6cba2a4c63387c714cec753d6e
Formbook
e7063cc17e4ab85b0ae947f6366f4a955758d2e3ef81bb2476f77aec1f77daae
Formbook
+ 3'731 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210212-22a53aqn1n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.zunebox.com/lsp/
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/f5a8c5b3-0d62-4ea9-b76e-ee10eeccc71c/
SH256 hash:
0db69eb6654d1090cb17ab58537a7304e2c269613c0edabf123cf230d289db73
MD5 hash:
584c37ad56ab2066725cf107d580ba89
SHA1 hash:
e0d7b4c7a55bbcb9276efbc2d3ece52eba319aa0
Link:
https://www.unpac.me/results/f5a8c5b3-0d62-4ea9-b76e-ee10eeccc71c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0db69eb6654d1090cb17ab58537a7304e2c269613c0edabf123cf230d289db73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 0db69eb6654d1090cb17ab58537a7304e2c269613c0edabf123cf230d289db73

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1002203/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116915/

Comments