MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd5cf89c75b6639053a9f493d611b7b575c0ce09d5388a7fdb0e5e92ea05a3c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	cd5cf89c75b6639053a9f493d611b7b575c0ce09d5388a7fdb0e5e92ea05a3c2
SHA3-384 hash:	2f9c7ce5daa3b40abb39ea092d3f0a7bfca105be7d80c4957ec33ee6ac2aa4cf5adcbc8903c9e8b695ed238a9a3a4abd
SHA1 hash:	2440e9a1a76573d9506b752d31b10a788d82b215
MD5 hash:	5a47b6ecd963805410d996573ca00dd0
humanhash:	sierra-hamper-jig-nebraska
File name:	5A47B6ECD963805410D996573CA00DD0.msi
Download:	download sample
Signature	Formbook Create hunting rule
File size:	262'144 bytes
First seen:	2021-05-05 10:56:12 UTC
Last seen:	2021-05-05 11:02:26 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	6144:9EIPXI1/04f95OSK6oo3BevIU3cVMM24UF21TRe:9E91/j57F3BZVMMvUFyTg
Threatray	4'962 similar samples on MalwareBazaar
TLSH	C944120A71C0C8FBCA3A4B714EB9AB5A5FD6BD050656960B3350B30F7E70A95871E3E1
Reporter	starsSk87264403

Intelligence

File Origin

# of uploads :

2

# of downloads :

54

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.15528.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/cd5cf89c75b6639053a9f493d611b7b575c0ce09d5388a7fdb0e5e92ea05a3c2

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd5cf89c75b6639053a9f493d611b7b575c0ce09d5388a7fdb0e5e92ea05a3c2/

Threat name:

Win32.Trojan.Spynoon

Status:

Malicious

First seen:

2021-05-01 02:41:46 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

010f54e04b88914349c222fb020f1a02d36ef80ae2d6048df29535d19a2012f8

1f108a10b866def65686fcb0e0c10612152288ea1f7a6158e5ada37f26d03265

3c0c946bd49128824271aa80cde029b625c3c1ca3ba6df6b3408cccddc02296e

5aa64b3eef03b9c837e37102be20cb4f537c524b2a2531bf1bf6dd6a02461d7e

5d4c17f9ea28e3df3efa9d9c7ba40444abeee049fe999eb2d579c6cf4ccc3231

6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4

7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b

8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c

a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051

a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe

+ 4'952 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook macro rat spyware stealer trojan xlm

Link:

https://tria.ge/reports/210505-8wq9nr74es/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

NSIS installer

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Enumerates connected drives

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.craftsman-vail.com/cca/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample