MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a8f518c22d4dc299a5e734663d77456864ca4eddb7c81ddf3f6e759363883c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a8f518c22d4dc299a5e734663d77456864ca4eddb7c81ddf3f6e759363883c5
SHA3-384 hash: f24adcca54a153737e4ef03624865f7989266cbee34652daf99e25a60fed9fad5089095e61f9fe147850d98e30e417a0
SHA1 hash: f26bacbf0a2d7ba48a43e42cc4a2c0fb5395ddc9
MD5 hash: 8e2342c9b19092467aa3c2fc45aaabf7
humanhash: asparagus-island-leopard-whiskey
File name:001.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:397'312 bytes
First seen:2020-07-22 15:13:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:XYOF/MVHZTP+k1PUm2GhNAr/lvlf5lR25b0HLIevFq06xo8N/yun8CN/Unx1Pkc/:XZF/MVp1PUm2iNSjR2kFM7xo8ZHtWhk
Threatray 5'362 similar samples on MalwareBazaar
TLSH 1D84CE11EBF40BEAEB5947B9E0611450ABB9651E63EAE70D2F91F1DC09327808713F27
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31246/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/395211
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249919 Sample: 001.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: Steal Google chrome login data 2->61 63 2 other signatures 2->63 10 001.exe 1 2->10         started        process3 file4 47 C:\Users\user\AppData\Local\...\001.exe.log, ASCII 10->47 dropped 13 RegSvcs.exe 10->13         started        process5 signatures6 79 Modifies the context of a thread in another process (thread injection) 13->79 81 Maps a DLL or memory area into another process 13->81 83 Sample uses process hollowing technique 13->83 85 2 other signatures 13->85 16 explorer.exe 1 6 13->16 injected process7 dnsIp8 51 www.crmghn.com 67.229.189.137, 80 VPLSNETUS United States 16->51 53 www.mtgclean.com 198.177.127.66, 49734, 80 FINALFRONTIERVG United States 16->53 55 www.datasolutionsshop.com 16->55 39 C:\Users\user\AppData\...\u0hhyxnbjk4dxxh.exe, PE32 16->39 dropped 65 System process connects to network (likely due to code injection or exploit) 16->65 67 Benign windows process drops PE files 16->67 21 cmmon32.exe 1 19 16->21         started        25 u0hhyxnbjk4dxxh.exe 2 16->25         started        file9 signatures10 process11 file12 41 C:\Users\user\AppData\...\4N8logrv.ini, data 21->41 dropped 43 C:\Users\user\AppData\...\4N8logri.ini, data 21->43 dropped 45 C:\Users\user\AppData\...\4N8logrf.ini, data 21->45 dropped 69 Detected FormBook malware 21->69 71 Tries to steal Mail credentials (via file access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 75 3 other signatures 21->75 27 cmd.exe 2 21->27         started        31 cmd.exe 1 21->31         started        33 conhost.exe 25->33         started        signatures13 process14 file15 49 C:\Users\user\AppData\Local\Temp\DB1, SQLite 27->49 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 27->77 35 conhost.exe 27->35         started        37 conhost.exe 31->37         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5a8f518c22d4dc299a5e734663d77456864ca4eddb7c81ddf3f6e759363883c5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 15:13:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lkhvddbc2toctgs6ondghv3uk2dezjhn3n6idxpt63tvsnryqpcq._file
Verdict:
malicious
Similar samples:
130a1070851bfc4e41ace49185b630338cd5c108a53e0d46d09a0abb258ece6f
Formbook
1789be535367afa0097be7d9ef6c90523df01d10e40b712ed0ead826b46e99e1
Formbook
3c15d1bb32d82a136a76d6e8867506dc2cc12cc183ed5a5c79335cb569e7d52c
Formbook
8658d410a983457a4b8695ec47eeb1d777c967e5227f4c7784b7c308570c6449
Formbook
8b379923380c07a3447ec8dcba32e4522102f3e5a9b40ce74afd32bcc1d074e6
Formbook
9898e847968d9a38e9d33a618372ec13e726903761ea0787966ee82c737fd79f
Formbook
c53c864741e005d5b04ca3349e81597e61b8ee3ecd7a03cddd2d15d955cbb04a
Formbook
de5eead1472726c48bab2f8551a161fea3ccd71ee11b4df8e89aa5b9874832a3
Formbook
f3250b1ac9470b18b44d8c6591c22797a187c1aa02b364583eed5acb255f0328
Formbook
f626ac44e4d6711e2b2a128fbde9bebf2a8b7c66d7161376993d3252c16dd083
Formbook
+ 5'352 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200722-89r561jzjj/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/5a8f518c22d4dc299a5e734663d77456864ca4eddb7c81ddf3f6e759363883c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/31246/
  
URLhaus
https://urlhaus.abuse.ch/url/417833/

Comments