MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a15166ebb7fde6c7f0383f2cc06bb79a1d4fb9f5e421dfe988eff5d8fb148831. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	a15166ebb7fde6c7f0383f2cc06bb79a1d4fb9f5e421dfe988eff5d8fb148831
SHA3-384 hash:	14a923222faa170360a14401fb4ecc2283fd7cc3f7eaa9dcc99d7c94d34b0d5160e9e794a7f5ecf1811e39b7c07eb0d4
SHA1 hash:	91853ca94bc64ab17c5976687e9b43608e2b4718
MD5 hash:	861ce8249ee373083e9876dd76ea4319
humanhash:	black-high-victor-burger
File name:	INVOICE.EXE
Download:	download sample
Signature	Formbook Create hunting rule
File size:	529'920 bytes
First seen:	2020-05-27 18:02:35 UTC
Last seen:	2020-05-27 19:53:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:TFGSzYBchG6VEJD6Lpyq73UrHaNJOQJLa9RjIez4d9Io+u5n4D/G33333333333c:TFGSS6VEt68q7CH3mLa9Rh4d9j4D/
Threatray	2'297 similar samples on MalwareBazaar
TLSH	D0B4AE327902C43AC039027EA4EE6BE5E53C1ED83715936FB3AB335C1F61677A25524A
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/5058/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.50184.2595.9352.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Agenttesla

Status:

Malicious

First seen:

2020-05-27 18:37:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 31 (74.19%)

Threat level:

2/5

Verdict:

malicious

Formbook

322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e

Formbook

52b517b0e9be1efed3349ff5b7e7e4a392881437d7bc9ccd7b94bbc23e28a2f9

Formbook

7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6

Formbook

9465c69c18144431c36b77e4b36534684c7717f1d9970eb522b8aef716dd2458

Formbook

94b89dec963ec5d8d9440acb8690d79494187187d36d0f964da12bba0cc1cad3

Formbook

bd7c17b39ab5f775700bae65b0930ae6b18e674036b6939c7264a9e7f14637ad

Formbook

ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8

Formbook

ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645

Formbook

f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c

Formbook

+ 2'287 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook agilenet rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-epan2q1gtn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.salomdy.com/rck/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator