MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acd9b03d66d463c3b7a101e07d15d4007c0a06c5848ea08f75e677a2a5300c1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	acd9b03d66d463c3b7a101e07d15d4007c0a06c5848ea08f75e677a2a5300c1a
SHA3-384 hash:	d354c3505213d7de52be9ad7b419a7aefbd18845ab6c13f3770c080950a39874f3b27b219691882ff7e24b73b6914403
SHA1 hash:	1966b49e5db9ef9730a0af0f84799dc7d89afc5f
MD5 hash:	055761229d2f4424cb7abe37d2f4a746
humanhash:	vegan-football-mockingbird-sierra
File name:	77b5990391c48bf013bc045983a83e61
Download:	download sample
Signature	Formbook Create hunting rule
File size:	398'848 bytes
First seen:	2020-11-17 12:10:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0a131a315228230104c175573ec8ff41 (4 x Pony, 2 x Formbook, 2 x AgentTesla)
ssdeep	6144:YIZiPnrD5lhtnbQ8aLJyZwscVeYG3dDEEbnEegrZJ4mFJljRGNyV5auyzs6W:DYHhxOMZOc93REgEXDjJZR0yVQVzsh
TLSH	01842335B2106535F60C3A3676DF6DBC4D7329590C46E62A3D83E51AFE3C3E08E25A62
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Forced shutdown of a system process

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/acd9b03d66d463c3b7a101e07d15d4007c0a06c5848ea08f75e677a2a5300c1a/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-11-17 12:16:43 UTC

AV detection:

27 of 28 (96.43%)

Threat level:

5/5

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan upx

Link:

https://tria.ge/reports/201117-53rgyv4a1n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

UPX packed file

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.thecrunchydumpling.com/o9b2/

Unpacked files

SH256 hash:

acd9b03d66d463c3b7a101e07d15d4007c0a06c5848ea08f75e677a2a5300c1a

MD5 hash:

055761229d2f4424cb7abe37d2f4a746

SHA1 hash:

1966b49e5db9ef9730a0af0f84799dc7d89afc5f

Link:

https://www.unpac.me/results/03f8b6f3-1e50-43f2-b4b3-128a3373d109/

SH256 hash:

781a7d71b6bda28bdc0b4ec9cd8cd1097cb6f0fcd2c03f07dcecc77661dbc9ea

MD5 hash:

78dc78b5a296d4a21e7bc27194227f01

SHA1 hash:

ab21620f05fb6e144765f7f8d50653fa584597d1

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/03f8b6f3-1e50-43f2-b4b3-128a3373d109/

Parent samples :

a3d9fa54d77e4cc21b331862bf1c4d4aca6f6e026bbac20a6bd5204593a7a8f4
45122febb861f3b96da0f14222950ac3de67acc346a17ebe9d9e432744682fe9
acd9b03d66d463c3b7a101e07d15d4007c0a06c5848ea08f75e677a2a5300c1a

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample