MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b
SHA3-384 hash:	f4eaf2a3b905b7da05596214ed2acf0b62690c63441dae27fccc19287e3f64c59d1ee2f6023065f7dcc1e36db582ba24
SHA1 hash:	742fe9613d84a532f0e5530277c2044d5aa6290f
MD5 hash:	a87efde819eb98d3b9cfd58d3ecf425c
humanhash:	beer-blue-may-ack
File name:	a87efde819eb98d3b9cfd58d3ecf425c.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	751'104 bytes
First seen:	2020-09-04 08:53:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5f9e8ac5f7b6fee25a76ba39a5074f0e (3 x Formbook, 1 x AgentTesla, 1 x RemcosRAT)
ssdeep	12288:CFOaNz0BIO1+wqctsjUqhtyTsg1lM9xjkqzxVn8dwdRtbXa/2:+f+B91xtspzq6wqzxt8dwdRFa
TLSH	C3F4AEA6B2D04BF3C2562538BC3B9678A839BE1C2A6958466FF4CC4C4F3D25139760D7
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/55645/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Launching a process

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Launching cmd.exe command interpreter

Creating a file in the %temp% directory

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b/

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-09-04 08:54:12 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ondlhnkshrib4e5uvupi5plik4i3yfubgx4bq2c3te35deyera5q._file

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200904-r8ajfytsvj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.masion2.info/u6ga/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b

(this sample)

Cape

https://www.capesandbox.com/analysis/55645/

URLhaus

https://urlhaus.abuse.ch/url/433107/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample