MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6145b68ae5c12af9d0dbbed80f15e68f073fb86dc4fc6343677c49fc7570a7d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6145b68ae5c12af9d0dbbed80f15e68f073fb86dc4fc6343677c49fc7570a7d7
SHA3-384 hash: 0b47ce6b060dcb29520ed90914dfcb701e30134ae0b02e95e95c6e704f2c260b4b79e45cf24cbdcdf0b96cf4a6716b5e
SHA1 hash: 203b07ee264cb7ac09d093e7782797c9ca37f8cb
MD5 hash: 791ce15cdab0f8a3af0de04479eeca0b
humanhash: violet-california-william-tennessee
File name:SecuriteInfo.com.Trojan.GenericKD.45645883.27137.31610
Download: download sample
Signature Formbook
Create hunting rule
File size:1'509'888 bytes
First seen:2021-01-31 12:07:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:bBiFG2WmywufxSDMquEnMbOShH+IMEo6Y1w75uux2fxqQ0e6hLz4lYoSiFb7Plvv:
Threatray 3'682 similar samples on MalwareBazaar
TLSH FF6519628CD37BC5F6F7C1A9478C384D57B557F0CB109E6C0A67A881560BBA43DEACA0
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Catalogue.xlsx
Verdict:
Malicious activity
Analysis date:
2021-01-31 07:55:30 UTC
Tags:
encrypted exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/7d601f1d-5712-4246-8a34-d2541cde7bbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114933/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/594770
Signature
.NET source code contains very large strings
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6145b68ae5c12af9d0dbbed80f15e68f073fb86dc4fc6343677c49fc7570a7d7/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 04:54:23 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
182fd1343975d43f456f199f379210d562d15ea3c8e4c7bd59899d75c18a2fe9
Formbook
29b9120d8ad7140f77528da00668da77b956fd76ef4dd0ba0af550b771a387b2
Formbook
2d14644ecb7e3d6a7f6e2c8888ecda848a2a9dbf30dd534c5aa531a5c4bcef2e
Formbook
3013607bfee8bcca1767c2a33cea94602e3c97baba31f96fc8a08014cf2576b4
Formbook
5f42f68bc67c97ebf181c31e7c243eee3580ebc75bb2a277f1847ea2bcedecc3
Formbook
75f2a2a20e73b7e0c53d499b883a403c2b8cfbf17c5923d58e0167daa4c019c1
Formbook
b81777dd63f61edd70b7d1e24aaabb352c5c44cbfede6b813249144eea82c7ee
Formbook
ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
Formbook
c25dae1e3e6c72b36cf02a2a2eaaf3ee5c29b6e2b0cf1da64c3f521be54dc5e9
Formbook
cf5a2454c16d739c04939e84f71d62772620f7d0f90df49266e8493393da7167
Formbook
+ 3'672 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210131-qxmhlr84es/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.paeonystore.com/kre/
Unpacked files
SH256 hash:
6145b68ae5c12af9d0dbbed80f15e68f073fb86dc4fc6343677c49fc7570a7d7
MD5 hash:
791ce15cdab0f8a3af0de04479eeca0b
SHA1 hash:
203b07ee264cb7ac09d093e7782797c9ca37f8cb
Link:
https://www.unpac.me/results/4f83c95a-0ef5-4827-b186-6a97756113dc/
SH256 hash:
e3b046913eee102d92617fd5adc09b3aac5bcbf2f93fdda0a65a8410ecffd437
MD5 hash:
5d607f08ba2045e0759671b6eb8c2d27
SHA1 hash:
baccabd2bbe53351251b312a67fcefebac52563b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4f83c95a-0ef5-4827-b186-6a97756113dc/
SH256 hash:
298d03e6233b272dab79c987d3c37e9571c3dabd4ab2f76665f3becfbb168f63
MD5 hash:
4311dfa2e861b755c52e58358242756a
SHA1 hash:
bfd53c0d0a695a6fc1d01ab6c2e4277168b663c8
Link:
https://www.unpac.me/results/4f83c95a-0ef5-4827-b186-6a97756113dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6145b68ae5c12af9d0dbbed80f15e68f073fb86dc4fc6343677c49fc7570a7d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6145b68ae5c12af9d0dbbed80f15e68f073fb86dc4fc6343677c49fc7570a7d7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/985042/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114933/

Comments