MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ca5615303fbf757380be438a8742de1ffeeecd253d57203eeffc420a8129ed0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	4ca5615303fbf757380be438a8742de1ffeeecd253d57203eeffc420a8129ed0
SHA3-384 hash:	3a75d639c6b011a65e07a63dca66e8e260cd4f14ab2a4ea573da624f66b730031d0c98f84e5c68c3a087cdaf13ab7a77
SHA1 hash:	dc225e41278f365469b85d3e2282898c6a4e5df3
MD5 hash:	5b3b6633298b797bace77cee2fe0d84d
humanhash:	march-zulu-table-alabama
File name:	4ca5615303fbf757380be438a8742de1ffeeecd253d57203eeffc420a8129ed0
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'513'472 bytes
First seen:	2020-11-13 15:12:51 UTC
Last seen:	2024-07-24 14:02:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:mAuwQIrUiGBmMRMoXaDA8mR9Wa7C2cYo3wdnJkfLquM1r4mCpvIHgowWY:8wtUiGBbOkEA8mPWa72mkDMOZvQY
TLSH	1165E02273DEC360CB669133BF69B7016E7B78250A70B95B2F980D7DA950172163CB63
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Possible injection to a system process

Enabling autorun by creating a file

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ca5615303fbf757380be438a8742de1ffeeecd253d57203eeffc420a8129ed0/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2020-11-13 15:13:40 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jsswcuyd7p3vooal4q4kq5bn4h7653gskpkxea7o77ccbkast3ia._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201113-eb2c247lxj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.mizorl.com/ww/

Unpacked files

SH256 hash:

4ca5615303fbf757380be438a8742de1ffeeecd253d57203eeffc420a8129ed0

MD5 hash:

5b3b6633298b797bace77cee2fe0d84d

SHA1 hash:

dc225e41278f365469b85d3e2282898c6a4e5df3

Link:

https://www.unpac.me/results/741e2a79-81f4-4849-9056-7a0c926ef9b1/

SH256 hash:

363157b0dcbb90fa0bff430e730ad816c846e37ea5f81627f34ac8edb6aa92b5

MD5 hash:

0745139fef25e3e3e78260f1787a3de5

SHA1 hash:

028a23dce46effefc73245759a25f529478bbc9f

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/741e2a79-81f4-4849-9056-7a0c926ef9b1/

Parent samples :

2a8615b0a48f00fdd2165af779fedfb65af589ba9da79f6247ae5ea515e859d1
4ca5615303fbf757380be438a8742de1ffeeecd253d57203eeffc420a8129ed0

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample