MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce9820f87744f7cd5f16e60470ec525cf1852762d5914278815b01737d4adacd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce9820f87744f7cd5f16e60470ec525cf1852762d5914278815b01737d4adacd
SHA3-384 hash: 7b070ead33c6701196a927841eb6bab9643d29e0b956315a498e826f468e29fe66b8a64ec9e437f56eeba5fcfe74966e
SHA1 hash: 68eb4e6d8c8f529ef0cbccad458389f9d1f4f329
MD5 hash: 40b52191ad0d1f5c1c6d646581ce31de
humanhash: may-echo-freddie-mexico
File name:kris.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'825'632 bytes
First seen:2020-11-13 07:25:06 UTC
Last seen:2024-07-24 21:33:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GkchK9axSeLRfp+S0FLSijGh2dfkFfL28/zSeTujfViv6G+ECz7vCgY7NuXkSo+c:H9S00
Threatray 2'923 similar samples on MalwareBazaar
TLSH 4A85DF3D6D8826635177F677A0B906C6FEB4698672780C4F01C33A496D6AF023E9734E
Reporter theDark3d
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.40b52191ad0d1f5c.17585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533539
Signature
.NET source code contains very large strings
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce9820f87744f7cd5f16e60470ec525cf1852762d5914278815b01737d4adacd/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 07:26:14 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07b296fafcefb5dbbf7148a96fc968664011aca0070b72732fb00886fbea9741
Formbook
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
Formbook
29b9120d8ad7140f77528da00668da77b956fd76ef4dd0ba0af550b771a387b2
Formbook
40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559
Formbook
5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
Formbook
6308def230fca10ddd70426bb31764afd2564530a7ff775cf28e5e958c5bd37a
Formbook
70581c97768f831cf9a0e6e084f44331ffb3d17ed78136dcd6b42e0490b814bf
Formbook
89bf15eae14f60d6acc308cead31f09459947626b9839bbbddbf76f00821fe3b
Formbook
9daf6c939e1c734dca8262f7c96844167c8869301b032c1f156f0e532b055603
Formbook
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
Formbook
+ 2'913 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201113-yrbmkkfd72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.asciflex.com/hrs/
Unpacked files
SH256 hash:
ce9820f87744f7cd5f16e60470ec525cf1852762d5914278815b01737d4adacd
MD5 hash:
40b52191ad0d1f5c1c6d646581ce31de
SHA1 hash:
68eb4e6d8c8f529ef0cbccad458389f9d1f4f329
Link:
https://www.unpac.me/results/a74408f0-2be6-44d9-8d34-3283939aac33/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ce9820f87744f7cd5f16e60470ec525cf1852762d5914278815b01737d4adacd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/813010/
  
Delivery method
Distributed via web download

Comments