MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9
SHA3-384 hash:	30b338f07a0b5f5737a0f23ea1efe2202d15c15250d2270e2863c51c202c86423f88bb6e803b7b421e20bc0604575bca
SHA1 hash:	91cf9af178927ce6cd38d16fa246f0192815c7d0
MD5 hash:	77c9ea3033b075ae8897963c0bf08a5b
humanhash:	angel-twelve-foxtrot-wyoming
File name:	SecuriteInfo.com.Variant.Zusy.312576.18109.22424
Download:	download sample
Signature	Formbook Create hunting rule
File size:	804'352 bytes
First seen:	2020-09-03 08:46:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c16adc9f6b07c8ee5c90d22d50952d1c (7 x MassLogger, 1 x AgentTesla, 1 x Formbook)
ssdeep	24576:ToYHyzf8WEE0us0U5xDO/Av1x4PaOnHGRkg:0CcFEE0Px2QYasmR
Threatray	2'253 similar samples on MalwareBazaar
TLSH	A605AEE2B2934837D16316784D3B9774AC26FE102924A9862BF5DC7C5F39790393B293
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/54646/

Detection(s):

SecuriteInfo.com.Variant.Zusy.312576.18109.22424.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/458118

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9/

Threat name:

Win32.Trojan.DelfInject

Status:

Malicious

First seen:

2020-09-03 05:05:36 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

netwirerc

Similar samples:

0de7b2b7c4e9974b9343de9666287a7137614cbcffc5f89932601b503712002a

1d433633d08421004a24c04b8a6a05b9c19afde22e6869c82f9cbe6aaad568fd

23b880c48fec41fa4fc337f0ecb3d9cd5ee8f71cd45448049a35bbcb85bb01f5

2467572968320c67ea46c765d9cdae94d3887e44d7af7e29b88f1b0e51fa4c01

27c2836a432ffef984ec91f36cd49097f0b01561bf3e2f3fde71cc5ecde70541

353e4fd91fe618f5c22c9cae00e7575e9b1914576ff7e332d03ca3e9f7dbbbbc

53b891cd07ba659cbb5c1ced0b3099ce57990b4f90f8d27a36371df0b64060b1

ad660d774f78137622d038976557c8782211dbfd39d2ff9a7a4bcc9279ba0f41

b3423777b1bafbe661edd1f4d3d98e72fcb48394764ddeb57bb913b881cf9177

cedead5dd0528f69da0617580afc0bcb6dd52eb05ad35dc2f24ec45179851e62

+ 2'243 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200903-w181qqgt66/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/54646/

URLhaus

https://urlhaus.abuse.ch/url/452146/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample