MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c576c8589cb5ac244855f2ba2bc67c4445729e19140302ef781a2c27c8a3eabe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c576c8589cb5ac244855f2ba2bc67c4445729e19140302ef781a2c27c8a3eabe
SHA3-384 hash: bfff3bbdd6582855c5bb55347d1802a8ad78300a138b8eaad779bb148ab98f6355cd396c507a2949ccdc4d543b667eab
SHA1 hash: 166fb4321ac1a7b78095b6d12d673203573314f1
MD5 hash: 5e2a8c56f3ef90143ecdc0c145c09013
humanhash: mango-magnesium-florida-green
File name:5e2a8c56f3ef90143ecdc0c145c09013.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:801'280 bytes
First seen:2021-02-15 08:01:31 UTC
Last seen:2021-02-15 10:56:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UrehGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzzpfKCRCD0gXNAWpDDrwz8:+hzHSvi7AYaf+dk+gzpLRWXN5VZ
Threatray 3'839 similar samples on MalwareBazaar
TLSH F20501122BD1A76AC46C8931167C0CE463F5AD1B7462DB6F3CC532E4CE7479F2B096A2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e2a8c56f3ef90143ecdc0c145c09013.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-15 08:14:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73da185b-1de5-470c-b72d-283fcd906c2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117150/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.bc.12276.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/607890
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c576c8589cb5ac244855f2ba2bc67c4445729e19140302ef781a2c27c8a3eabe/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-15 07:55:16 UTC
AV detection:
9 of 48 (18.75%)
Threat level:
  1/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150
Formbook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
83571a3ed240920c10403fb91eddb873096c02762e3a2f9497650593b0566546
Formbook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
Formbook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
Formbook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
Formbook
c42f604b88f970d7f871de38dc87f4a2b9d53c8806139cd3e6aa0193110d5e63
Formbook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Formbook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
Formbook
+ 3'829 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210215-9m1e8mctpj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.slcacard.com/syt/
Unpacked files
SH256 hash:
c576c8589cb5ac244855f2ba2bc67c4445729e19140302ef781a2c27c8a3eabe
MD5 hash:
5e2a8c56f3ef90143ecdc0c145c09013
SHA1 hash:
166fb4321ac1a7b78095b6d12d673203573314f1
Link:
https://www.unpac.me/results/d27d43b1-a03b-429d-ba36-57da370b122c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c576c8589cb5ac244855f2ba2bc67c4445729e19140302ef781a2c27c8a3eabe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c576c8589cb5ac244855f2ba2bc67c4445729e19140302ef781a2c27c8a3eabe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1010794/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117150/

Comments