MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48b81558e59b18c3d20b057608cf34821e4dbf7779a69af50530c611dac0738e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 48b81558e59b18c3d20b057608cf34821e4dbf7779a69af50530c611dac0738e
SHA3-384 hash: 09131d7bcb53022e633af5292abecb1cc98d4eab87c1b1c774845606221627d0a4edcd62fc889d9a88a32e3ed236ca4c
SHA1 hash: aefd3a17e58fd0eb96422d66f06ee75bf0cfee8b
MD5 hash: 3b5cc52ebfb46933d7665cf6125d9b72
humanhash: blue-tennessee-comet-angel
File name:SecuriteInfo.com.Trojan.Siggen9.57461.12541.13331
Download: download sample
Signature Formbook
File size:796'160 bytes
First seen:2020-08-01 19:32:22 UTC
Last seen:2020-08-02 07:34:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 22deacb359083bf59a3af3bef7aaca4c
ssdeep 12288:qTcVAXwaU1kf88LvZ6JA/1ub3h130xSOE3a5WLCHkjefIVKXOWWTTTTTTRTTTTTp:wOXaU2LzgGNEf0xKavEj4IVK+l
TLSH 2F05BF66B2D04833C167163DDD0B97A89C35BE513E2899866FF53D4C4F39B81383A2A7
Reporter @SecuriteInfoCom
Tags:FormBook

Intelligence


File Origin
# of uploads :
2
# of downloads :
21
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Signature
Detected unpacking (changes PE section rights)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2020-07-09 12:16:43 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 48b81558e59b18c3d20b057608cf34821e4dbf7779a69af50530c611dac0738e

(this sample)

  
Delivery method
Distributed via web download

Comments