MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8194e62a1164c14371166f2eb5b7e2e3e695537b738826111710375ca565cf09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	8194e62a1164c14371166f2eb5b7e2e3e695537b738826111710375ca565cf09
SHA3-384 hash:	c63917c4cc5531cc0a458272d9eb5c22951486aa6a084a75cee119990b0ddbbba755b31a2b4ed3a2cd477ff87300952d
SHA1 hash:	2146a7642e32c5e26ac6734475a99462f6a23359
MD5 hash:	c0ac1b9aa82b1405a13d3b0bac1d4257
humanhash:	cup-charlie-nebraska-jig
File name:	SecuriteInfo.com.Trojan.Packed2.42555.13164.6397
Download:	download sample
Signature	Formbook Create hunting rule
File size:	666'624 bytes
First seen:	2020-08-26 15:17:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:bNRJkXr+D6ViIOyJjumH9SIeYnWMyiNa3qCXgg71ZfQFU:bNRaGIp0CnOFqCXLfQFU
Threatray	2'242 similar samples on MalwareBazaar
TLSH	45E4AE1123889F6AF4BE9B39A438001487F5F907E35ADB8E7D8881FB1A51F85C761B53
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/51338/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42555.13164.6397.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/451889

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/8194e62a1164c14371166f2eb5b7e2e3e695537b738826111710375ca565cf09/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-08-26 13:02:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

20

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b

0cd37496a09d3516103a2ba627f8c4bc9ba2eb99b0618d719a3fa9d708b9862d

172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f

2fd949e12ca1d32c55059b6710f33e098ae5c357156d79208ab92c066c80be11

347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32

54828c080b94bdbf7bc08ff7a3fc69fa5a91d1b067d2997af8ef60c0304b4aed

5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35

700f8405954cf77a38e6b103b33e4c7164202e9126b3b76044be35510b2bf440

839856ed87695990bbed8a508ff2645ad729f46753fe487a286361a15aa2ea94

ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22

+ 2'232 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200826-trtezc6atn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.uglace.info/tln/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/8194e62a1164c14371166f2eb5b7e2e3e695537b738826111710375ca565cf09

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 8194e62a1164c14371166f2eb5b7e2e3e695537b738826111710375ca565cf09

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/51338/

URLhaus

https://urlhaus.abuse.ch/url/444362/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample