MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48f56a967a18db7e4b8832fc8580151fe539b2b97bd29cbfac6048a42ab18edb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48f56a967a18db7e4b8832fc8580151fe539b2b97bd29cbfac6048a42ab18edb
SHA3-384 hash: 85e036c0748bd4c277a04f9b21ca36d0a82b774c677052e8909e7b1eb649b463665d23b9a1115c78ef06db89859aab62
SHA1 hash: d59d810199fdcf3bccecf27ee840e6a36b8520d1
MD5 hash: cf43cb75fa3dda2a2365c2bcd963f822
humanhash: massachusetts-alanine-high-video
File name:cf43cb75fa3dda2a2365c2bcd963f822.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:740'352 bytes
First seen:2020-12-17 07:22:58 UTC
Last seen:2020-12-17 08:32:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8qtEDCWXx6adC6gf2fmgcK9l3tTph3wEuwNAzf1uw23OSiC0Iep+3Rt4fyO+NyC0:80EC6gsVnl9tnc1M+Si/p+34fyO+A
Threatray 3'185 similar samples on MalwareBazaar
TLSH 28F48D243EFE6019F173AF768AD475D2DAAFFA733706D41E1491138A0723A81CD9163A
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf43cb75fa3dda2a2365c2bcd963f822.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-17 07:23:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f2ec694-590a-4716-a351-dc760c0f717b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.29694.25390.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/565038
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48f56a967a18db7e4b8832fc8580151fe539b2b97bd29cbfac6048a42ab18edb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 01:57:39 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jd2wvft2ddnx4s4igl6ilaavd7sttmvzppjjzp5mmbekikvrr3nq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4f90d42980450652ef19fe55ebea9e68683b4d29027900dcbeb5c26d298318fc
Formbook
7a27d2398eb1658d1e8ab0fb1c67c154e74712079e7adda5f0af704780c9c741
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
94bae4886fe8942d256a84af00ae297e560b1711272c0d7b05d89f98c8067890
Formbook
9728048925e7faf422c4d7bacfaa90fae8bdcc9efad8a0868b456f3d4b213d09
Formbook
bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
Formbook
bfbf73201037462acf28b231212bc311a923ca797168533c3b4d233686f335ef
Formbook
d6fc2a83aa93c4fb115d6755006950aa4372055dba75b7f78b9e5d20dd007ea6
Formbook
e07c9d7c06c5ebc0b53aba5bb6c35edd07169401a08e016ca68fa5677db00370
Formbook
fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71
Formbook
+ 3'175 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201217-b9895nvr2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Formbook Payload
ServiceHost packer
Formbook
Malware Config
C2 Extraction:
http://www.mommabearmoney.com/et2d/
Unpacked files
SH256 hash:
48f56a967a18db7e4b8832fc8580151fe539b2b97bd29cbfac6048a42ab18edb
MD5 hash:
cf43cb75fa3dda2a2365c2bcd963f822
SHA1 hash:
d59d810199fdcf3bccecf27ee840e6a36b8520d1
Link:
https://www.unpac.me/results/5df086cc-381a-42ca-a522-b86bb947a5bb/
SH256 hash:
712207f07595f8b5a3f4237eead43307fbfbc6ce212700e0af29e80bd5437755
MD5 hash:
8bfdbcf40ceca4e8c4d0f514e836c036
SHA1 hash:
2ee4ffb9bd8ef0dfb501f37db98a88a036107917
Link:
https://www.unpac.me/results/5df086cc-381a-42ca-a522-b86bb947a5bb/
SH256 hash:
fe4ac24da21e8637fdd78e0cf7f83ea25eb29e91e0298072ad01d2536cb23d0b
MD5 hash:
950438ed48526ddfedf08b23225ae0c3
SHA1 hash:
e29195953567091c6f165127e6d3bf4a30bda15c
Link:
https://www.unpac.me/results/5df086cc-381a-42ca-a522-b86bb947a5bb/
SH256 hash:
b361a26bb187659a188c4cc078c5a4e24152fd4c9dc855ba8567846de9b3004f
MD5 hash:
187af2855c1c019baa97d15b4218b89b
SHA1 hash:
e60f57e562f5481233106d72b0e9b4618a047904
Link:
https://www.unpac.me/results/5df086cc-381a-42ca-a522-b86bb947a5bb/
SH256 hash:
39a4cf40acdfeee33275cf44b5ea38aa4174af972460ad0f23f059273e6fedf8
MD5 hash:
5ab701b999787c6bb5774d127a9a8923
SHA1 hash:
a6e85d2eac5ab8526db2058325f15c4f7ec3aef2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5df086cc-381a-42ca-a522-b86bb947a5bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48f56a967a18db7e4b8832fc8580151fe539b2b97bd29cbfac6048a42ab18edb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 48f56a967a18db7e4b8832fc8580151fe539b2b97bd29cbfac6048a42ab18edb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/923276/
  
Delivery method
Distributed via web download

Comments