MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c698f5ef823adc2c3079ee359ea6d80e7c8e800d742d8f63c4c6f697131dd763. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c698f5ef823adc2c3079ee359ea6d80e7c8e800d742d8f63c4c6f697131dd763
SHA3-384 hash:	f9d578e9d891c7e7d05f997db4dd6855c54477355e321aca956d898a0559b2c35eb8c8b3286949ec9b998ad72d518592
SHA1 hash:	96ed351203d285b948a6153c8e2022dc37ca26f9
MD5 hash:	06ff0fff9de08e2cca89bc274bc5a2c2
humanhash:	aspen-london-skylark-tango
File name:	06ff0fff9de08e2cca89bc274bc5a2c2
Download:	download sample
Signature	Formbook Create hunting rule
File size:	724'992 bytes
First seen:	2020-11-17 11:26:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:BV/pQASmxXNS9Wjy7ABVFjLawJyHvx85rDTts4q4MfG0dqJ5YV0AY:ZNyEbFfa+EMrvt2fjdk
TLSH	45F4AED6A7983F2BF07CD3B995284825C3F1ED52C762DB4D7C9A30CE4884F5287A161A
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c698f5ef823adc2c3079ee359ea6d80e7c8e800d742d8f63c4c6f697131dd763/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-11 07:57:26 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y2mpl34chlocymdz5y2z5jwybz6i5aanoqwy6y6ey33joey525rq._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201117-447pfg6ehj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.thehappyhourtimes.com/z0po/

Unpacked files

SH256 hash:

c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0

MD5 hash:

47509d9db24c975e55c287afdc459fad

SHA1 hash:

4f1f893555c985d7cbba731cf1fdbf49c6ecf793

Link:

https://www.unpac.me/results/b153b50d-92a7-498a-9c93-c37262cc15ed/

SH256 hash:

b420d46821bc2dcc9402ebcbdad5fbff2fa797a9c8bd834cd715961b23510d98

MD5 hash:

e958108d9cba6774cc2b577affc9dd73

SHA1 hash:

1b2fc2a34673fbc5b7263cc44d458c7edb45a014

Link:

https://www.unpac.me/results/b153b50d-92a7-498a-9c93-c37262cc15ed/

SH256 hash:

c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b

MD5 hash:

b5358f677850210361f573c7d249c258

SHA1 hash:

215e06e319515d779efa88f7c05b343d6ec3f6a5

Link:

https://www.unpac.me/results/b153b50d-92a7-498a-9c93-c37262cc15ed/

SH256 hash:

94f2410b8b7956c2d9f9d06df37da6cbf74c5c6975f0c7d76270184ed7019578

MD5 hash:

c63422f3e12d6dce28258cc02fafe08a

SHA1 hash:

2f321c5e24f9dcf13cbc87f221355a9807811767

Link:

https://www.unpac.me/results/b153b50d-92a7-498a-9c93-c37262cc15ed/

SH256 hash:

bede79bf25ca010c286de6d88867a6303393b252b4b74ebdea06fd37f488a2ba

MD5 hash:

431312d51feb08bd4e11406adee8ad42

SHA1 hash:

70b08626aa49497d006195e3d74e71776f5724ab

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/b153b50d-92a7-498a-9c93-c37262cc15ed/

Parent samples :

e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
a50fdfd2a59cafe23cd41227b465d44b6d00e2b14f707798d60d2637ff78ef25
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
106bfa0280569ce313c19beb1c68515fb148212a033fdd96ef075d38256f5fb9
c698f5ef823adc2c3079ee359ea6d80e7c8e800d742d8f63c4c6f697131dd763

SH256 hash:

c698f5ef823adc2c3079ee359ea6d80e7c8e800d742d8f63c4c6f697131dd763

MD5 hash:

06ff0fff9de08e2cca89bc274bc5a2c2

SHA1 hash:

96ed351203d285b948a6153c8e2022dc37ca26f9

Link:

https://www.unpac.me/results/b153b50d-92a7-498a-9c93-c37262cc15ed/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample