MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68357db2a89dda1c9dc7b89d5f937e615e26c885dac2109d7c6c7e303c93c4ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68357db2a89dda1c9dc7b89d5f937e615e26c885dac2109d7c6c7e303c93c4ec
SHA3-384 hash: be1e25726e18b5d09a2bd7cedbb294f58360cb0478a1d438d8576c0662cac182cbc0f83cfb0028af47d7abc797539481
SHA1 hash: 597621dd8f55c5399723f2a6f3e75a22a7a336b6
MD5 hash: 7abcfd428e72ce9cc2bdeef462e31523
humanhash: idaho-paris-nuts-tango
File name:SecuriteInfo.com.Trojan.PackedNET.424.6941.7404
Download: download sample
Signature Formbook
Create hunting rule
File size:616'960 bytes
First seen:2020-11-06 13:53:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6D2DI3G80YGFinjpw4U6YODLyC+Po8SAd2T9v8Dq0meMbaW6:69n0YSin2t1OnyC+Rs9v8DqIMH6
Threatray 2'846 similar samples on MalwareBazaar
TLSH 19D4019EE36436DCD6A77BB082EC5A904A32F1B46131A5EF0C0EC44F06F65B4B653792
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.6941.7404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68357db2a89dda1c9dc7b89d5f937e615e26c885dac2109d7c6c7e303c93c4ec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 11:03:13 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07b296fafcefb5dbbf7148a96fc968664011aca0070b72732fb00886fbea9741
Formbook
106f9f66c54be3c20be8f04ce63f5d6183d6eb9e79a6b243b5c820cc01ee24cb
Formbook
262d8dd389aad1ef11023ded97da5703e88f1a96c2b0b8a1dbdde5fa7ee04022
Formbook
816581131b3f726da0cfef239111730e74f04e9015df6a519b92a7e0d6e2cd6a
Formbook
a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
Formbook
ad8c070c48103dbc11875a052aa0447395f6ddda11e3f9e8aed091f0bb14050d
Formbook
b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c
Formbook
da8c31096f9e2ffc9a1fea4a63d6440cfda55349845300b4f333a02317c73dde
Formbook
e38e6ac839b8009c1c6d467ed4206f912c39a15af7a1fa7ba4a2a854e441fe50
Formbook
e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69
Formbook
+ 2'836 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201106-lkmg3gq88j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.enovasea.com/mlr/
Unpacked files
SH256 hash:
68357db2a89dda1c9dc7b89d5f937e615e26c885dac2109d7c6c7e303c93c4ec
MD5 hash:
7abcfd428e72ce9cc2bdeef462e31523
SHA1 hash:
597621dd8f55c5399723f2a6f3e75a22a7a336b6
Link:
https://www.unpac.me/results/8469e73c-b1fa-4506-8dcc-073985707346/
SH256 hash:
695038835fe575913456d6df08f0c2899feea9738377d84fb86b59f82c92923d
MD5 hash:
79b2b6da6e450f0eb7a3b3d6e355ebb1
SHA1 hash:
3ac0cb43c057b9c92cc637c89f475174e202547c
Link:
https://www.unpac.me/results/8469e73c-b1fa-4506-8dcc-073985707346/
SH256 hash:
70ef0f531eb026742efdef95831e68cdcb74f131b18d9b994103809dd46f6176
MD5 hash:
d1991af253cf0213e7408c97be678eff
SHA1 hash:
b51947ca8060c31ca2b32581bdf7591f3682e9de
Link:
https://www.unpac.me/results/8469e73c-b1fa-4506-8dcc-073985707346/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/8469e73c-b1fa-4506-8dcc-073985707346/
SH256 hash:
dbe5870d7a3623427e2a3dc75031233878a8ab0cefa8324d423e2ae98b4342ad
MD5 hash:
0abbafee4474faca8c0321fc7a3445a7
SHA1 hash:
8199da6599978f25e97d29b68f7a68a231bed46f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8469e73c-b1fa-4506-8dcc-073985707346/
Parent samples :
68357db2a89dda1c9dc7b89d5f937e615e26c885dac2109d7c6c7e303c93c4ec
5c262eeac56f9ceeb0b44f0b0c46535aa23c3f1317d2c03148648342854fb98c
caed3382f2c691a1a3b7b424c7f00fd3d1bafb3a34f23ee424bcac165b6edf04
f773778f6eb4e9aa3ab3bd385409acd50081e57aed0e44bbda6308310e8c7316
71fa0160ef98f5ebf3f957f156a5368e2010b831e5f5ee618d2e414c29625987
4701e1d0065893d2d05cc0450f8f435e2644299b1beae3d4dd1a9758514d1d6f
dd1b3508cfb8aeb7f9ec8ad9a96bda852f499fb57b8cce55d076e1ce20d89daf
fc616c5cd59810cbfb8418141b2a652b92dd5163a8b9adfa54c79024916f17f2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 68357db2a89dda1c9dc7b89d5f937e615e26c885dac2109d7c6c7e303c93c4ec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/792713/
  
Delivery method
Distributed via web download

Comments