MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f9fcdd00e43b8845139ba38f9d4f164e526736578eab199e7f7af5d8179f01c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	8f9fcdd00e43b8845139ba38f9d4f164e526736578eab199e7f7af5d8179f01c
SHA3-384 hash:	63558199bbc370caf66114a17ecd06c18d69d34e724187829cb082bc3f8af9343b28bb4f473b24e8dfd953bda4d8d1e4
SHA1 hash:	a63f12bba792fd01307373a7565b96549eb9f3c8
MD5 hash:	082348ffb2977a0762e3e5d6f4a47ff4
humanhash:	london-gee-kansas-winner
File name:	fdppo.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	103'936 bytes
First seen:	2020-07-13 14:35:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:fAXHQI+xKkd19Z0WXl8PyehhHL5pClKoY4hRHNc0:fknBk77AAKEhRHNf
Threatray	5'124 similar samples on MalwareBazaar
TLSH	9FA3656A97A15F19E1BB83396CCA202817FCA50FE795C3377EB503C102E2BF5197524A
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/25432/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f9fcdd00e43b8845139ba38f9d4f164e526736578eab199e7f7af5d8179f01c/

Threat name:

ByteCode-MSIL.Trojan.Scrami

Status:

Malicious

First seen:

2020-07-13 09:17:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

3

AV detection:

34 of 48 (70.83%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

0396da4728728701d82bea35844941b36b6ff001bd4a46b3e3f45d5143205b16

12b43ed89fe65ad92c68c63b0dffa2d821ef5d1e506762f9a1c281ca624fd964

376fb6ea6472377b19e40fe92be6e5324665d57662993e5d8e87c9ebad993b53

3c15d1bb32d82a136a76d6e8867506dc2cc12cc183ed5a5c79335cb569e7d52c

5258ca686922497380fdc5c7b379d805c914ba774ad6d6dc5b0455e5ecd8414c

5477643235b833aa541ecdc02ee302b141a306c8ab01b08341341f4a2fb20341

55fda8fe5169419bcbdfa68e712b378085ddd86638e0f84e50e6b6f43cf19334

b0ae66cd2296539cdeb9f833ff7ebc3616cda6d8068d1883e27a04c9240d0d3f

c8cef19967cb820d5e92f85a17ebf98f631de62c9760b1eb1a790cb25961e356

e257a0a26f932ddedd2134e0a56eadc8c19d03049c7c6d9b7d3ca93720106b91

+ 5'114 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

persistence spyware evasion trojan stealer family:formbook

Link:

https://tria.ge/reports/200713-2tkm5wsena/

Behaviour

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Modifies system certificate store

Checks whether UAC is enabled

Reads user/profile data of web browsers

Adds Run entry to policy start application

Blacklisted process makes network request

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/25432/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample