MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf149d9178e1dfee8846b6c29664fd04e8b079121706b208dc9389f3ce1d36ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf149d9178e1dfee8846b6c29664fd04e8b079121706b208dc9389f3ce1d36ac
SHA3-384 hash: bb521abac2abb2628596b5144ac8b2da2754d7a06a4549a550a579d72bb2e7f19f3e00c2b0fc938e41878c2466ea2651
SHA1 hash: aa01cb0b3f221170f938092f4c779bb1c5c9d34f
MD5 hash: 64ff75463432b94f4fd12768a0fa6585
humanhash: avocado-pluto-neptune-london
File name:64ff75463432b94f4fd12768a0fa6585
Download: download sample
Signature FormBook
Create hunting rule
File size:903'680 bytes
First seen:2020-11-17 11:45:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:dqOAZV9RmxXFS9Wjy7AB+TjUghPJLgtzqafyhJSPf+3KDc38Lvs8:1FyECIAJg3fyWs2s
TLSH B415BF9677986F67E07D83B59928981083F0FD52C772DB4E3C8A31CE84A2F52436261B
Reporter seifreed
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf149d9178e1dfee8846b6c29664fd04e8b079121706b208dc9389f3ce1d36ac/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 08:45:48 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4kj3ely4hp65ccgw3bjmzh5atula6isc4dlecg4soe7htq5g2wa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201117-zl8bmg9f4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.libertraxengineering.com/rte/
Unpacked files
SH256 hash:
bf149d9178e1dfee8846b6c29664fd04e8b079121706b208dc9389f3ce1d36ac
MD5 hash:
64ff75463432b94f4fd12768a0fa6585
SHA1 hash:
aa01cb0b3f221170f938092f4c779bb1c5c9d34f
Link:
https://www.unpac.me/results/664d0ef4-8802-49cc-a0d5-aefbdf871b67/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/664d0ef4-8802-49cc-a0d5-aefbdf871b67/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/664d0ef4-8802-49cc-a0d5-aefbdf871b67/
SH256 hash:
468c1d1e693dccef6fa0f41d526c9e7728365cd37c5e6844af857f8a19444bc3
MD5 hash:
adedff1cbc2d2517b5ecb351a14f0474
SHA1 hash:
7c41205ef3bf61ca88daea5fb1c6ee5d8a735d96
Link:
https://www.unpac.me/results/664d0ef4-8802-49cc-a0d5-aefbdf871b67/
SH256 hash:
26c05fd7d2ad2f59755f1f422caf358941cfff85fe42768178588d6b7029ee75
MD5 hash:
2f7c24937905c8e37a6d72f6a3b3ba8c
SHA1 hash:
9479fe1aa531708bd375ef9a13e717ec49691948
Link:
https://www.unpac.me/results/664d0ef4-8802-49cc-a0d5-aefbdf871b67/
SH256 hash:
d9441785516cf74e6f3c86fa0cecf56b0b69cc361516da974be9cb01f1921df2
MD5 hash:
0345ee3daa51cfc4444366c0e1e1ace7
SHA1 hash:
71f1d93c996ba65f162e963ef7da68ea3221459a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/664d0ef4-8802-49cc-a0d5-aefbdf871b67/
Parent samples :
ef0d4bf082291155c82f86ebda948f3fafed56b2d167463f6b59a1a964e7ccfb
19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
bf149d9178e1dfee8846b6c29664fd04e8b079121706b208dc9389f3ce1d36ac
fd65de40662072e139fcfab07423a32a918e5cd51c42544681835e7fb5f835a6
ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments