MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48b81558e59b18c3d20b057608cf34821e4dbf7779a69af50530c611dac0738e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	48b81558e59b18c3d20b057608cf34821e4dbf7779a69af50530c611dac0738e
SHA3-384 hash:	09131d7bcb53022e633af5292abecb1cc98d4eab87c1b1c774845606221627d0a4edcd62fc889d9a88a32e3ed236ca4c
SHA1 hash:	aefd3a17e58fd0eb96422d66f06ee75bf0cfee8b
MD5 hash:	3b5cc52ebfb46933d7665cf6125d9b72
humanhash:	blue-tennessee-comet-angel
File name:	SecuriteInfo.com.Trojan.Siggen9.57461.12541.13331
Download:	download sample
Signature	Formbook Create hunting rule
File size:	796'160 bytes
First seen:	2020-08-01 19:32:22 UTC
Last seen:	2020-08-02 07:34:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	22deacb359083bf59a3af3bef7aaca4c (3 x Formbook)
ssdeep	12288:qTcVAXwaU1kf88LvZ6JA/1ub3h130xSOE3a5WLCHkjefIVKXOWWTTTTTTRTTTTTp:wOXaU2LzgGNEf0xKavEj4IVK+l
Threatray	4'855 similar samples on MalwareBazaar
TLSH	2F05BF66B2D04833C167163DDD0B97A89C35BE513E2899866FF53D4C4F39B81383A2A7
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

67

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/37023/

Detection(s):

SecuriteInfo.com.Variant.Graftor.792753.28478.21664.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/406756

Signature

Detected unpacking (changes PE section rights)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/48b81558e59b18c3d20b057608cf34821e4dbf7779a69af50530c611dac0738e/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-07-09 12:16:43 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jc4bkwhftmmmhuqlav3artzuqipe3p3xpgtjv5ifgddbdwwaooha._file

Verdict:

malicious

Similar samples:

2edc612812919760be42de00fde052d6808281cd5009fb6050b21b67cc6db93f

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

5b5dcd2dd420cb6a9ef69b94fb8340145ca859897285ef38d87b38b1757af463

6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264

a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91

b49e31db6107c37ac7f40732102d9b574f9bdcafbc227d22122a527e5142e9e4

c256666562b73aee6208fa0bacff25b832c0ec16fe7e7081a7c7ff3ef2016c83

e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4

+ 4'845 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200801-59hvdnrkxj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 48b81558e59b18c3d20b057608cf34821e4dbf7779a69af50530c611dac0738e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/410489/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/37023/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample