MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e
SHA3-384 hash: 1c812a7ae517b44b539a84244964ad93f72bf7a6abad8eec069d37a3c3e86dd42315365f85661f078f7d4d0b793e9f20
SHA1 hash: 03982d2dd31133280a37a36cc2bf690f17021365
MD5 hash: f07813ae5f4b5f5a348cb648420e2a30
humanhash: dakota-batman-zulu-fish
File name:SecuriteInfo.com.Generic.mg.f07813ae5f4b5f5a.31876
Download: download sample
Signature Formbook
Create hunting rule
File size:459'264 bytes
First seen:2020-11-23 18:19:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:6KUjExfWEU/HmKmNdx483wfHyzA+UecZt8LF:6KUjEx+v/HmKEdSgwfyzAr/n8
Threatray 3'036 similar samples on MalwareBazaar
TLSH 01A4F17246D2AE96E77A3F75D1B122041FBA7CA7DA30CA0D7F8805DA1176B58C910F32
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/545429
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 16:23:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0375352dd935ee474c225b1e7c35707a10f7100b0167bbabd5a497dbb34777cf
Formbook
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
Formbook
333a258f45e7a8baaab72b1539859a00bca7309a8d641490329184977090b540
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
8de3d12f5661c36ae89e13085dc5d4c6db3000e434f960eb80adece4aaae8219
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
99cc56c49ea22eaf929c14180a5625096c6652ae122fb35d913ae774604965f0
Formbook
a244a77f990bdec5f4f81d605990749206b6e5827e4bc140b9b4b2fbfdb0bb12
Formbook
cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069
Formbook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Formbook
+ 3'026 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201123-29myhnelps/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.orchardviewbostons.com/g65/
Unpacked files
SH256 hash:
9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e
MD5 hash:
f07813ae5f4b5f5a348cb648420e2a30
SHA1 hash:
03982d2dd31133280a37a36cc2bf690f17021365
Link:
https://www.unpac.me/results/542ce015-17a9-4bc4-81ee-e70c98149141/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/542ce015-17a9-4bc4-81ee-e70c98149141/
SH256 hash:
0b297e945fb9d9a7b959198ae2f421b24be86f58c8574c3d739ba38fd9601feb
MD5 hash:
574d4d1fd2bac7dbad8ceec3d5b0563f
SHA1 hash:
ba12cc605e7badf7ffbaf1215bba8705c1c46c93
Link:
https://www.unpac.me/results/542ce015-17a9-4bc4-81ee-e70c98149141/
SH256 hash:
eccb92284ecebe5407289d5de436ed67d48cb480f0f343aca60d81c0482c39bd
MD5 hash:
0fad3acfbcbde1fa850be91793e55528
SHA1 hash:
04bcdc8dcc6d1f5de3ed6622beed9ca2ed286365
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/542ce015-17a9-4bc4-81ee-e70c98149141/
Parent samples :
9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e
562fd75b20d0ae6c7391b2d4ef7b01bd502566b20377f03c478f8a24fd2ac294
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/846724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105334/

Comments