MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 5d18154aa0c1b10a47a67caed485e555ed98d535f718388e7ffcb1df40429899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 7
| SHA256 hash: | 5d18154aa0c1b10a47a67caed485e555ed98d535f718388e7ffcb1df40429899 |
|---|---|
| SHA3-384 hash: | 89df23b15b335624a1e60fca25e9c9038fc393994a12482aaed9bced1f32c0dd78e629b43dfb56d973d995626a621959 |
| SHA1 hash: | b327147c1ec52c893128efa0bb03db429db62404 |
| MD5 hash: | 2185a9b1d21b3e257a05de6b8bf79e28 |
| humanhash: | saturn-spring-social-video |
| File name: | 5d18154aa0c1b10a47a67caed485e555ed98d535f718388e7ffcb1df40429899 |
| Download: | download sample |
| Signature | Formbook |
| File size: | 776'242 bytes |
| First seen: | 2020-11-15 22:45:34 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 905a07a764c20120e1d8bffe07d1a20d (4 x FormBook) |
| ssdeep | 12288:gT+ASHP3xKmxIu4REB8Ow4bArvMHCkzPOMu8VUR9n2yLupvXSdNXNlL:gTUPV4REq4beMvpu8VQuZSnzL |
| TLSH | 94F4CFE36DE25437D1EB2B7C888B5E595429BE013918684E7BD42C0C9F3B6B1381E25F |
| Reporter |  seifreed |
| Tags: | FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.Ymacco
Status:
Malicious
First seen:
2020-11-15 22:46:15 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
5/5
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetThreadContext
Adds Run key to start application
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.dixdiiy.com/pm/
Unpacked files
SH256 hash:
5d18154aa0c1b10a47a67caed485e555ed98d535f718388e7ffcb1df40429899
MD5 hash:
2185a9b1d21b3e257a05de6b8bf79e28
SHA1 hash:
b327147c1ec52c893128efa0bb03db429db62404
SH256 hash:
c35a0a6066401eff43970eb65ed196b880a7af136f39d3115f29faf3052a2d49
MD5 hash:
6dfe83c506262f8688413c4b9e2f9682
SHA1 hash:
c1246b948dab12c1a48c41e0cf75f98f36284fab
SH256 hash:
5345d0e3651d587fcffb03828f3c895508a54e3d8215dd23a07d9a51e877df9f
MD5 hash:
5752cc1fbe5a885f86d0d1beedaeebda
SHA1 hash:
593b2399c81fe89db64a5d11ac59cb5da4d16cb1
Detections:
win_golroted_auto
SH256 hash:
863a05d56b64256127336a9bdaebc6fc82dfa45f97096f7ffc20066c8b2fcbc3
MD5 hash:
e72ff64603c74ed25c363673861009c5
SHA1 hash:
b70b5a6a8eebcb402824108113697f65bbe96e50
Detections:
win_formbook_g0
win_formbook_auto
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.