MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27cbd2139f326adf45adefa425f7295af578ac5d9ecceab36da74c5af53def1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	27cbd2139f326adf45adefa425f7295af578ac5d9ecceab36da74c5af53def1f
SHA3-384 hash:	133a70733a5400e100087bd086d414d237d58306c9b5539497abada37201bfaac6a072dcb28c204c4c99b772f8102d64
SHA1 hash:	6c18bf2fb587a9dd787a0535a834e0b645336b67
MD5 hash:	a5d2f1bcf4354d0b3128c0a85f0d95ea
humanhash:	double-alanine-lemon-two
File name:	PURCHASE ORDER_PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	370'176 bytes
First seen:	2020-07-14 13:19:06 UTC
Last seen:	2020-07-14 13:50:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:DnLfx3dk5+O3G7geDg8MjJDgEiSniaDvpIdpL4aDNsU86GmZ2bZkV1O:BNCQvSx7nia9IdpL4ahsU8DmZ2bO
Threatray	5'074 similar samples on MalwareBazaar
TLSH	9D7402107B884727E8BB5BB50DD09650B27FDDA397A3E35A5C8965ED38E0B9080C4B37
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25681/

Detection(s):

SecuriteInfo.com.Trojan.Inject3.44652.7535.32269.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Reading critical registry keys

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/27cbd2139f326adf45adefa425f7295af578ac5d9ecceab36da74c5af53def1f/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-07-14 13:09:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

4

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

14bbd0cd681c1501f814ac5e7a4dc9b627bf410990edc77cf10ada83cd106d94

172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f

179043e8eb7c06144c67f58b2c2900ad10303862c0e5cd7e1fe5a4faf853f103

20e1306537cb762d25eccee8ebc9afe0a1356f02090346a1686a4472b55b127e

25e2619309515f2a7953682e8d4ea6d13b9c7030159aefbb8521d4316a58c19d

4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa

5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff

6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382

8c55df1fdc1ac49e2c0a3b5b77bd044d842d2f6e38bd5f782d93853a560140fb

9bf2e6afa0656c8129746c95784146ba85f15ecf46081644192e5bbfd5899144

+ 5'064 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/200714-gwyjqw11ks/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Loads dropped DLL

Executes dropped EXE

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/25681/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample