MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
SHA3-384 hash:	9885087e7364fa6c3e0add008f4275ecd2efa544ff74f45521236d5d4cffb95c654a6c41c6b512fb94ae0655946d1e84
SHA1 hash:	50695c897343d46356f4a6b6d4c437e7cc24d1e1
MD5 hash:	ab768635bc6c4711e348eebb1e881757
humanhash:	pluto-equal-spring-autumn
File name:	9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'091'128 bytes
First seen:	2020-11-03 10:09:09 UTC
Last seen:	2020-11-03 11:58:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:bHUYxhIg6TdLWczxhv2bBcREcClGeJcnacw5QtsoaJRodycWNqmGSQozzhYTXqG3:3+RUllGe/i+8HtEOR1J
Threatray	2'809 similar samples on MalwareBazaar
TLSH	87350D2429BB905DF0B3AE9D5ED4B5F68C5BFB32250920B92072C7074622983DFDD639
Reporter	JAMESWT_WT
Tags:	FormBook

Code Signing Certificate

Organisation:	Adobe Inc.
Issuer:	DigiCert EV Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Jan 31 00:00:00 2019 GMT
Valid to:	Feb 3 12:00:00 2021 GMT
Serial number:	06F24D9F4DB07BD7ECAD067F5EE26C29
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	F1D08D7B98504370C1D5C40DCD8D8DCEAB084E9095CEF544465C445A374A18B0
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/82006/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34991288.8333.18446.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Forced shutdown of a system process

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

0 / 100

Link:

https://www.joesandbox.com/analysis/519047

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-10-30 01:46:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Verdict:

malicious

Label(s):

formbook

Formbook

2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236

Formbook

37c41a797e70fef4120a5175d93835738ed9b9b85e24c912d61c7e1f96265f51

Formbook

867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24

Formbook

a50fdfd2a59cafe23cd41227b465d44b6d00e2b14f707798d60d2637ff78ef25

Formbook

bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed

Formbook

d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879

Formbook

e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f

Formbook

e85f434810652692f3e0a0738d9156899afcbd2bed42a6f328f0092d72a1db34

Formbook

f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46

Formbook

+ 2'799 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201103-j7pz8q371j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.a1aphysicaltherapy.com/ri6/

Unpacked files

SH256 hash:

9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959

MD5 hash:

ab768635bc6c4711e348eebb1e881757

SHA1 hash:

50695c897343d46356f4a6b6d4c437e7cc24d1e1

Link:

https://www.unpac.me/results/fadd9ec9-77f1-4e93-8063-7444044ee88d/

SH256 hash:

9d796d9282709688abb007cbec97a54f4617cc2843894a0bf50d0f443aa16a5f

MD5 hash:

5374acc863d358f869bff1a047e91e44

SHA1 hash:

2239f2802b803e282775fef5739050617aa22c9a

Link:

https://www.unpac.me/results/fadd9ec9-77f1-4e93-8063-7444044ee88d/

SH256 hash:

83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1

MD5 hash:

3c5dbcc3bb27e913e14efd8054811373

SHA1 hash:

b0eba9388abddaef9d5aa49ccd5dbab2924cced0

Link:

https://www.unpac.me/results/fadd9ec9-77f1-4e93-8063-7444044ee88d/

SH256 hash:

c7f102558506e1664af6c1781909964d377e909a3a276aade19843fde51bede4

MD5 hash:

588e4bb830687dccf91884fb5ef122ca

SHA1 hash:

5408f418e569738550a26b9e2810cb0df7a4de9e

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/fadd9ec9-77f1-4e93-8063-7444044ee88d/

Parent samples :

1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90
9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/82006/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample