MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 295b66b15ac99b8f3684995b627af139171b64b050baf27aafb0fffb8ab4f4eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 295b66b15ac99b8f3684995b627af139171b64b050baf27aafb0fffb8ab4f4eb
SHA3-384 hash: f919c22ae06e99cbc5238063d1e22ca21bd23452a5d99c7a952a499d69be1c655ac8f527f5b40e65a9303df2673b77af
SHA1 hash: 604f0efe22b4bd104eb4e05f5f6e8a73a0be8841
MD5 hash: 11439f9fe334fc3769f01c777dc72062
humanhash: carpet-nuts-robert-edward
File name:SecuriteInfo.com.Artemis11439F9FE334.11180
Download: download sample
Signature Formbook
Create hunting rule
File size:891'392 bytes
First seen:2020-10-26 13:46:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1496cafa3f41b8b2ba3e8c456ce5709d (12 x AsyncRAT, 7 x AgentTesla, 6 x Loki)
ssdeep 12288:fcKL9CyOXr2P3tSAD5lDCPjgjAKrUwODsveMbg1NmTWXdaH3AgFgmm:flbCaffOj29UhDogiCtazt
Threatray 2'732 similar samples on MalwareBazaar
TLSH 63158E2EB29148F3F56329789C1B5764AC26BE103D247A462BF5DCC8DF7968138392D3
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79089/
Detection(s):
SecuriteInfo.com.Artemis11439F9FE334.11180.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/511831
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/295b66b15ac99b8f3684995b627af139171b64b050baf27aafb0fffb8ab4f4eb/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 10:45:36 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
76b5083ce1a34c82e63cded85ecdf767f9d254e99a0d49174fbdd4a449857e41
Formbook
81c1d78fd9c2c4e78b74976875c7ea0ac39ab5c87f5d1671e203c8c05bce01ca
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
a76869f6ece56a889175cb2cebdb60e4a24025184ebeb7fa9c6210668eb023fe
Formbook
ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5
Formbook
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
Formbook
afbb4d08bfde470b3405f98f84a5be0456cf40edf8f08f7b4cb7a6cfcf5ee682
Formbook
da455c9459a51e64557b7f36c33a3ef60fdc43b647d1f2f480c3de5d31b2aa2f
Formbook
e85ece3cee51156974c3fb8f0e2c707dae2b51b0d2db9e5fb10531d2fdd76ca6
Formbook
+ 2'722 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201026-6namdsnkvj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.eparegistrar.com/cia6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 295b66b15ac99b8f3684995b627af139171b64b050baf27aafb0fffb8ab4f4eb

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/79089/
  
URLhaus
https://urlhaus.abuse.ch/url/752159/
  
Delivery method
Distributed via web download

Comments