MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dea433f33054ac40c2a4260902db354a5c6f8497b1aa266955ebde6a9c289d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	5dea433f33054ac40c2a4260902db354a5c6f8497b1aa266955ebde6a9c289d4
SHA3-384 hash:	f7cf61c5d8e64cb4fbb1610d61c8a0ee8bc86f8004d1daf7d1df79fa31ee96506916e5bc29f97d55061dac7914e2d216
SHA1 hash:	639c5be4a01958776c221814500ea8fe60a7958e
MD5 hash:	1b0e31e08fd315bf0e067db05610f47c
humanhash:	kitten-hot-lemon-oranges
File name:	5dea433f33054ac40c2a4260902db354a5c6f8497b1aa266955ebde6a9c289d4
Download:	download sample
Signature	Formbook Create hunting rule
File size:	809'472 bytes
First seen:	2020-11-11 10:59:41 UTC
Last seen:	2020-11-12 13:57:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:b40wcvXsmI2i3hH8bZrG4XCmXEWUMwICcz/gAmGbpa:bvXg2iJerHCmX9CgYp
Threatray	2'931 similar samples on MalwareBazaar
TLSH	8D057C144EA58F4FD77D137E8010D2C047F582D1936AEBD63DC098EEA9CA641EB1B1EA
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Launching cmd.exe command interpreter

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5dea433f33054ac40c2a4260902db354a5c6f8497b1aa266955ebde6a9c289d4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-11 11:00:31 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

1f58e0127c25c0a356436a3c78bcf05de2afacff0cba41275972d25a4be0bbfd

Formbook

2bed744d28b0e98b998ee08a830c52655037ca72f311159c7125ad123369f006

Formbook

5b5dc3238b5c70ae42e90e4428fe493eec98be9a4bb82bf23248f6d9e24da2fe

Formbook

66c90051427f1fa801535028868a50ca3302392836ceaf8804c992e9f20dc372

Formbook

677e6a668cdcfbc698dccca98c79caef7b7b82ced81da5e405fb9b0f809e647f

Formbook

76b5083ce1a34c82e63cded85ecdf767f9d254e99a0d49174fbdd4a449857e41

Formbook

87f83df5fdaabe9b71e77fe26640c185b8312cc5cbd34ebcc6dc047d72885299

Formbook

da455c9459a51e64557b7f36c33a3ef60fdc43b647d1f2f480c3de5d31b2aa2f

Formbook

e3114262b2bf20de2c2b95534ba7c5ce497f894a3ecd99005f698a853c7f3b3e

Formbook

+ 2'921 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201111-3kcsr8r3jj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.unpreneurmania.com/ve9i/

Unpacked files

SH256 hash:

5dea433f33054ac40c2a4260902db354a5c6f8497b1aa266955ebde6a9c289d4

MD5 hash:

1b0e31e08fd315bf0e067db05610f47c

SHA1 hash:

639c5be4a01958776c221814500ea8fe60a7958e

Link:

https://www.unpac.me/results/de6cb51f-a490-4f40-b33b-fcc7e8d74133/

SH256 hash:

67fd1dbaeca3443b145b7c7fedb9b625999530955626c44d8fec734a3f42f7bb

MD5 hash:

82e0454a7f8907667553e10182a1cbe5

SHA1 hash:

1c015aa14199a68a9e003cba5203b776c3b06ea3

Link:

https://www.unpac.me/results/de6cb51f-a490-4f40-b33b-fcc7e8d74133/

SH256 hash:

c74786e41e7ffe3d4105581680050a529e91ae038faad2065671d545e9d50e3b

MD5 hash:

ecc476942eebdad1c77188fe9317ee43

SHA1 hash:

7cbd91a9c7b55f21bb2acf7569c738262bed5dfa

Link:

https://www.unpac.me/results/de6cb51f-a490-4f40-b33b-fcc7e8d74133/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/de6cb51f-a490-4f40-b33b-fcc7e8d74133/

SH256 hash:

dc57ac73e5e16ae752fb86990d0e6bcd6534b7cf0cee73e673f23ec7fab976e8

MD5 hash:

ec4c2692652833ef0e57ee2620408bc0

SHA1 hash:

016381be69fa5a737aa21e8841911472ec4ed469

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/de6cb51f-a490-4f40-b33b-fcc7e8d74133/

Parent samples :

e3114262b2bf20de2c2b95534ba7c5ce497f894a3ecd99005f698a853c7f3b3e
5dea433f33054ac40c2a4260902db354a5c6f8497b1aa266955ebde6a9c289d4
6088fdf1edd552252bb288832433235369aaebf4f5325b10118c430defade925
97f351f8f1b030f55625859da616c2a4ace18175162188e96a4c88b4488b091c

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample