MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2edc612812919760be42de00fde052d6808281cd5009fb6050b21b67cc6db93f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	2edc612812919760be42de00fde052d6808281cd5009fb6050b21b67cc6db93f
SHA3-384 hash:	ab7de1881ec6e9abd786edfe49482a44838dd9d25c8b6a237f618ebd454bf6acb31c68dc9b0166a25ec04d2bb8b0df4d
SHA1 hash:	05caf17950016f78f93551a87456582778991a07
MD5 hash:	7507fa9b94527509a21acb9bfe828508
humanhash:	south-robin-mirror-river
File name:	vv.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	793'600 bytes
First seen:	2020-07-07 15:20:57 UTC
Last seen:	2020-08-02 07:32:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	22deacb359083bf59a3af3bef7aaca4c (3 x Formbook)
ssdeep	12288:nTcVAXwaU1kf88LvZ6JA/1ub3h130xSOBzt6h8oU9Enx:TOXaU2LzgGNEf0x3G
Threatray	4'833 similar samples on MalwareBazaar
TLSH	73F4BF62B2D04833C167163D9D1B97A8983AFE512E3859866FF53D4C4F39B8138362E7
Reporter	JAMESWT_WT
Tags:	FormBook

Intelligence

File Origin

# of uploads :

4

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/22355/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Possible injection to a system process

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/2edc612812919760be42de00fde052d6808281cd5009fb6050b21b67cc6db93f/

Threat name:

Win32.Trojan.Swotter

Status:

Malicious

First seen:

2020-07-07 15:22:06 UTC

File Type:

PE (Exe)

Extracted files:

42

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

5b5dcd2dd420cb6a9ef69b94fb8340145ca859897285ef38d87b38b1757af463

688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388

6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264

b49e31db6107c37ac7f40732102d9b574f9bdcafbc227d22122a527e5142e9e4

b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e

c256666562b73aee6208fa0bacff25b832c0ec16fe7e7081a7c7ff3ef2016c83

e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4

+ 4'823 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200707-vf2rm48l3e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run entry to start application

Deletes itself

Reads user/profile data of web browsers

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 2edc612812919760be42de00fde052d6808281cd5009fb6050b21b67cc6db93f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/408667/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/22355/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample