MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eb6d2eb88d3ebac022b8335e178275dd4b8883b7e5248a8a8c4a1da9faacddc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	1eb6d2eb88d3ebac022b8335e178275dd4b8883b7e5248a8a8c4a1da9faacddc
SHA3-384 hash:	6bed47176c2398f3806ed6ba989324888a04567c2a3e50a4f772b2e60d782c93129f6996809b8c4f447e050eefb33af9
SHA1 hash:	95e6ea08f2bcde4d9a6a34991140eff95078a5e3
MD5 hash:	8593062774c248e7437945406606a93d
humanhash:	mississippi-london-beer-diet
File name:	SecuriteInfo.com.W32.Ninjector.J.genCamelot.18207.29739
Download:	download sample
Signature	Formbook Create hunting rule
File size:	240'526 bytes
First seen:	2021-06-02 05:37:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:8Qq+Wn/ZDIH+M9Qog94VmmKj7nF21vT8PGVPBp:TW/Zn2tbVmR7MxiGVPBp
Threatray	5'537 similar samples on MalwareBazaar
TLSH	B234126991C088FFE5021B726E5B9A79E27F9201132152DB5B147F3B1A36067CF2B783
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.Ninjector.J.genCamelot.18207.29739

Verdict:

Malicious activity

Analysis date:

2021-06-02 05:39:12 UTC

Tags:

installer

Link:

https://app.any.run/tasks/48bfc287-441c-4187-aeb8-37f54e7b3ac8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/163912/

Detection(s):

SecuriteInfo.com.W32.Ninjector.J.genCamelot.18207.29739.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/795618

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1eb6d2eb88d3ebac022b8335e178275dd4b8883b7e5248a8a8c4a1da9faacddc/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-06-02 03:05:54 UTC

AV detection:

8 of 47 (17.02%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d23nf24i2pv2yarlqm26c6bhlxklrcb3pzjerkfiysq5vh5kzxoa._file

Verdict:

malicious

Label(s):

formbook

Formbook

4f9d8536fa4475655dd14db7d472399f2b7214ddb16d3483f9a2a673e4fc1543

Formbook

6e1a82800736b1a05851d8eeca004861946ad916fe5566796e9303766de80131

Formbook

8943af6c4da94f93c169ef98a7b8393ca92b01753e89ea5503d5740bcc45296d

Formbook

98f8f84dbf9e3a4462066c94e447ba3bdc6bc3d0119511e8c6d6cea0234f885c

Formbook

9b7fd781016675bd73b0acc7e402bbdcf4dfa3e3df4a5dd7d7c9c850bc2d85e8

Formbook

9b9218d3692f38654cde45d5a9b01a6d5cb83aa5442c286fc4e073a6348e08d1

Formbook

b8b841d90fe179b235744659d1bf9cd9860ff6d081b25ef0d485beefcf59e28a

Formbook

c2b8d66b59eabf04dadf3af98e03e6f3aad3f289e826852fabda188863eb679b

Formbook

d885a2034e825199486fbe2eecbf1098e07c8ba36ffe3cca2518e3f332c48f28

Formbook

+ 5'527 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210602-v8hcws4gdj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.gicc-fx.com/uer0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/1eb6d2eb88d3ebac022b8335e178275dd4b8883b7e5248a8a8c4a1da9faacddc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/163912/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample