MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
SHA3-384 hash:	3a86916e76f9b302c72238ec5e355e2e9013ce4c9449a389ca80b1b1504ade2c06f804b2c300e169ac47b27c925e59d4
SHA1 hash:	d8e3301a141259d084bbf82f053e9ed364ceee2b
MD5 hash:	0e90469764b9fc15c03a5eca7c1ea3f4
humanhash:	florida-montana-oven-emma
File name:	4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'788'928 bytes
First seen:	2020-11-11 10:55:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	49152:UYgC8fWjHDCJ8uifPaY2eVYmoTXyegUAyefwz:UYgCeWg89fPaY2eVYmoTXyegUAyeY
Threatray	3'995 similar samples on MalwareBazaar
TLSH	0585078D7260B6DFC857CD369A681C64EB6078BB830BE243A05716ED9D4D95BCF240F2
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-11 10:56:15 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

0375352dd935ee474c225b1e7c35707a10f7100b0167bbabd5a497dbb34777cf

Formbook

0492389f51ea478d6b922d2e41b7f8bf54c7231ed062bae93b8ede289926db7f

Formbook

1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc

Formbook

4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f

Formbook

60831f31acc48a952e24869954c79277d27eeddb14c10d76d0a3b6e61a8e343d

Formbook

93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a

Formbook

bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d

Formbook

bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed

Formbook

c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe

Formbook

+ 3'985 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201111-9n4mxtwyj6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.goldenlinkpowerdeals.com/esp5/

Unpacked files

SH256 hash:

4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e

MD5 hash:

0e90469764b9fc15c03a5eca7c1ea3f4

SHA1 hash:

d8e3301a141259d084bbf82f053e9ed364ceee2b

Link:

https://www.unpac.me/results/5b48f30c-c4a9-4834-8f23-22657e0004bd/

SH256 hash:

ce15d429a32aa3f478b5399f19ff18242ceddf136a996b59ff317d3a63a86a43

MD5 hash:

1b744129f16822329d094ea37760d3ad

SHA1 hash:

35ff1971fbb66a763ee833972d1aaa4f655a5c57

Link:

https://www.unpac.me/results/5b48f30c-c4a9-4834-8f23-22657e0004bd/

SH256 hash:

db47daa51ae987d1da81bd9cf0b713533c81eb8df9ce67fb182c9afc9ad666fa

MD5 hash:

5ca3744ab1932b28c315fa9852a895a3

SHA1 hash:

76f964da56479839eb380df8ea9d2d86096d2368

Link:

https://www.unpac.me/results/5b48f30c-c4a9-4834-8f23-22657e0004bd/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/5b48f30c-c4a9-4834-8f23-22657e0004bd/

SH256 hash:

7ef2a597a5b46a2e2511fd29ec344fb6e46583800513811ab96970d2152bef23

MD5 hash:

14a2e7847436adc727b382c22e60f8c3

SHA1 hash:

7a6b823da8c0d6549a48f9a5c8cc3c234fef75cd

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5b48f30c-c4a9-4834-8f23-22657e0004bd/

Parent samples :

c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
0dbc9167676da74b238155c1234be3891b57cb15441b8f985dfdf295bc858a41
1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc
4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
c7a440c994771410363293be06d6af76be0ded9c4a706d4b2b16b333187942bb
f85b33feed6b4f002c008c9ab364290fea609966cde31700196eb924f2618c8a
1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409
eba046a1103330eec33d061399ec4388c9bcfd7a514c3b9745b6330c22423c8f

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample