MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409
SHA3-384 hash:	d1aa4876624581dcd892b55cb8dd324fa9fc4546d7036a60745a6930e4d00a1dd01b01d2fda97b21cfad45cafeb71be6
SHA1 hash:	e7a851e5281af9f2699096e686c36bdb84973f3c
MD5 hash:	5bc554e23600d1e5338a0a9cbef588a5
humanhash:	cardinal-potato-robin-aspen
File name:	1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'002'496 bytes
First seen:	2020-11-15 22:46:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:6b4uVYvXgmXHDvUwUvWITkzINGiLP+VrWnZU0xod:tfdjvURvdsINGiD+VrWnzx0
TLSH	B2259C1DD7998F5FC53913F68021D28087F581D1539AFB9A2DD084FEAAC9740EB1B2CA
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-15 22:47:15 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201115-6rshy8d99a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.goldenlinkpowerdeals.com/esp5/

Unpacked files

SH256 hash:

b83b43cf88c021aedfce419cb9e86b9d871863300153523d15fa0b08018e3496

MD5 hash:

dea27ff4e75e0a297adcee9d186242c5

SHA1 hash:

b74e8fc2acf76ef920c802b53a9a0250cb609c91

Link:

https://www.unpac.me/results/ef3bfea4-5a55-428e-913e-23932e5e6024/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/ef3bfea4-5a55-428e-913e-23932e5e6024/

SH256 hash:

57b4445ada37467db4c0bcdec445853d35181a60616e89604dc5ee5c490127c0

MD5 hash:

b3e9dcd7223d84ed28ef3d5fbe60fd94

SHA1 hash:

f4554b8a52608be311b65c459780548bdb98b391

Link:

https://www.unpac.me/results/ef3bfea4-5a55-428e-913e-23932e5e6024/

SH256 hash:

7ef2a597a5b46a2e2511fd29ec344fb6e46583800513811ab96970d2152bef23

MD5 hash:

14a2e7847436adc727b382c22e60f8c3

SHA1 hash:

7a6b823da8c0d6549a48f9a5c8cc3c234fef75cd

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/ef3bfea4-5a55-428e-913e-23932e5e6024/

Parent samples :

c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
0dbc9167676da74b238155c1234be3891b57cb15441b8f985dfdf295bc858a41
1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc
4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
c7a440c994771410363293be06d6af76be0ded9c4a706d4b2b16b333187942bb
f85b33feed6b4f002c008c9ab364290fea609966cde31700196eb924f2618c8a
1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409
eba046a1103330eec33d061399ec4388c9bcfd7a514c3b9745b6330c22423c8f

SH256 hash:

1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409

MD5 hash:

5bc554e23600d1e5338a0a9cbef588a5

SHA1 hash:

e7a851e5281af9f2699096e686c36bdb84973f3c

Link:

https://www.unpac.me/results/ef3bfea4-5a55-428e-913e-23932e5e6024/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample