MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f196fa55e6b02ee407f238eba897e8ae1a213a45603c526141a0c66f26e8c51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	6f196fa55e6b02ee407f238eba897e8ae1a213a45603c526141a0c66f26e8c51
SHA3-384 hash:	e73c94554e06e46d90d3c3665986819d29b517b505525c91f3859c7c251eaa4659f7a3307015e3ec43639efae042d469
SHA1 hash:	12c9c2a3b36c6cd4740dc1acff7c669eac720e92
MD5 hash:	b38c7d05423991713b19aba0f3826133
humanhash:	ink-golf-fanta-charlie
File name:	SecuriteInfo.com.Generic.mg.b38c7d0542399171.29466
Download:	download sample
Signature	Formbook Create hunting rule
File size:	268'240 bytes
First seen:	2020-08-10 15:30:54 UTC
Last seen:	2020-08-10 22:10:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:uE2H7vCRwSwu75zgkkYr6NRId+OOR+L/HPvsMz:X2H7qRBN7pgBYr67yaM0u
Threatray	5'066 similar samples on MalwareBazaar
TLSH	D844F1EA52C355A2C5BAA57321F0921007F1EF452083DBABF86F319B5FB3BD622116C5
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/42870/

Detection(s):

SecuriteInfo.com.Generic.mg.b38c7d0542399171.29466.UNOFFICIAL

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

DNS request

Connection attempt

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/417304

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6f196fa55e6b02ee407f238eba897e8ae1a213a45603c526141a0c66f26e8c51/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-10 12:21:36 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

Similar samples:

0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004

1b114b7614a73e7b1b75355a4904a7314a91c39ec385a246a67624dfc11b7b8e

1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656

353bbb86f2947091a4cd8c6e556570654b68b344cd73a3f22409c4b60106ab9c

4077e5eeadfc447b88c36f638c37adc77ee35766a737e4a7aca64e61f2ef3d1a

4e343d50670d902ec99b2a4079f088249c3b6101d9754f763a77566af82e6f59

62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab

7d8d79cf0ac48ce5ffbb0cf0d1b3370662d34170d9430baac21f42d30b3b66f5

b2d8df96514495cb6b3fe66a6d61e70b8b6e92426910db93f7ae521be4fd2762

c12ceb5bc795285eff54b3ef08c9208c67148b5c446e21084677c25bf8c56112

+ 5'056 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200810-79kwvctcr2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6f196fa55e6b02ee407f238eba897e8ae1a213a45603c526141a0c66f26e8c51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/42870/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample