MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 73d85ee34057a7a69e204aea5ce4b3884e17f7dd3dd064e8953b88b9460f8955. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 5
| SHA256 hash: | 73d85ee34057a7a69e204aea5ce4b3884e17f7dd3dd064e8953b88b9460f8955 |
|---|---|
| SHA3-384 hash: | 453cc6f5a0e5cdcb7f897a25f16779cbe514f0db515a302def6a59f33fa1c56c56740f6ae049ed448843b2a98daa01c2 |
| SHA1 hash: | ac0a4ee10df49616812cdc6bdff59b656435fd94 |
| MD5 hash: | f235b468443403e46c46b080461bacc9 |
| humanhash: | ack-nitrogen-batman-artist |
| File name: | 2ac22470ff3bfdb44e7c3cb0f68e36d4 |
| Download: | download sample |
| Signature | Formbook |
| File size: | 776'242 bytes |
| First seen: | 2020-11-17 12:11:15 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 905a07a764c20120e1d8bffe07d1a20d (4 x FormBook) |
| ssdeep | 12288:fv2+mSUMHhOhsL4vHd98O4bArrMHCkzPOMu8VUR9n2yLupvXSdNXNlL:f+VMCp7h4bKMvpu8VQuZSnzL |
| TLSH | 18F4CFE36DD25437D1EB2B7C888B5E585469BE013918A84E77D42C0C9F3BAB1381A35F |
| Reporter |  seifreed |
| Tags: | FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Threat name:
Win32.Trojan.Ulise
Status:
Malicious
First seen:
2020-11-17 12:16:58 UTC
AV detection:
28 of 48 (58.33%)
Threat level:
5/5
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.dixdiiy.com/pm/
Unpacked files
SH256 hash:
73d85ee34057a7a69e204aea5ce4b3884e17f7dd3dd064e8953b88b9460f8955
MD5 hash:
f235b468443403e46c46b080461bacc9
SHA1 hash:
ac0a4ee10df49616812cdc6bdff59b656435fd94
SH256 hash:
826a9c794b405102e2ea1d4e4beb494a4f1a20811e68b46d567971070515b57f
MD5 hash:
476284dc9c8675eee4d03bb400572e04
SHA1 hash:
63658ed116f3b33f9957093c18a5462805b112d9
SH256 hash:
5345d0e3651d587fcffb03828f3c895508a54e3d8215dd23a07d9a51e877df9f
MD5 hash:
5752cc1fbe5a885f86d0d1beedaeebda
SHA1 hash:
593b2399c81fe89db64a5d11ac59cb5da4d16cb1
Detections:
win_golroted_auto
SH256 hash:
863a05d56b64256127336a9bdaebc6fc82dfa45f97096f7ffc20066c8b2fcbc3
MD5 hash:
e72ff64603c74ed25c363673861009c5
SHA1 hash:
b70b5a6a8eebcb402824108113697f65bbe96e50
Detections:
win_formbook_g0
win_formbook_auto
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.