MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 130a1070851bfc4e41ace49185b630338cd5c108a53e0d46d09a0abb258ece6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	130a1070851bfc4e41ace49185b630338cd5c108a53e0d46d09a0abb258ece6f
SHA3-384 hash:	e274e3299c276fdb675a61756d413a29471da609e42b1f7b7c1cef21bd75469d9c4dabed4b9be293a9e8883c417dfb12
SHA1 hash:	940c561255e3807ebb9d5913661e23ea730894c1
MD5 hash:	93ebc27be6576b8c23bc32d016b115c1
humanhash:	golf-oscar-equal-washington
File name:	ppp.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	352'768 bytes
First seen:	2020-07-13 13:33:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:fL0xkkBLY42frM/MvKaZZKQSb7ghuGNj5Clm+egsDMk+t13+P9lLiH:QP92frFSa3S2JYlmhvYk8h+P9A
Threatray	5'076 similar samples on MalwareBazaar
TLSH	EA74E08832B8B7AED8ABC3F28E241C246371707B8357C2575D4325DE995DF42CE50AA3
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25357/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.380.16267.17245.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Launching cmd.exe command interpreter

Deleting a system file

Reading critical registry keys

Unauthorized injection to a system process

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/130a1070851bfc4e41ace49185b630338cd5c108a53e0d46d09a0abb258ece6f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-10 18:40:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

1

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmfba4efdp6e4qnm4siylnrqgognlqiiuu7a2rwqtiflwjmozzxq._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

1789be535367afa0097be7d9ef6c90523df01d10e40b712ed0ead826b46e99e1

344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be

3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b

45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

5a8f518c22d4dc299a5e734663d77456864ca4eddb7c81ddf3f6e759363883c5

82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a

8658d410a983457a4b8695ec47eeb1d777c967e5227f4c7784b7c308570c6449

9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838

de5eead1472726c48bab2f8551a161fea3ccd71ee11b4df8e89aa5b9874832a3

+ 5'066 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

evasion trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200713-vrgm2wlqq2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

Reads user/profile data of web browsers

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/25357/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample