MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db99a2696513030143db7f8620f68a5088188f95629b408b1110cf0689c8746e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	db99a2696513030143db7f8620f68a5088188f95629b408b1110cf0689c8746e
SHA3-384 hash:	af55cfcb38e5cbdb97c1999817977dc957ed55662e933fbea5c542292aeed75b14be01e1f0fc8bb69ff41b88fa6beee8
SHA1 hash:	08aafa25902b5d35254f1ded7a696793f598aa31
MD5 hash:	bfb3d9bad9ae02b9a6480dc7685c39d3
humanhash:	yellow-july-red-moon
File name:	bfb3d9bad9ae02b9a6480dc7685c39d3
Download:	download sample
Signature	Formbook Create hunting rule
File size:	737'792 bytes
First seen:	2020-11-17 14:48:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:GXlgqft+UoxC4lS585EfIAIoDNHtmIDZHUaG0p2AHaHXszdt7hupbQc/FGG1n8BM:LunoxC4lm88Ik9tnDhUaHHAmdt9P
Threatray	3'029 similar samples on MalwareBazaar
TLSH	63F4BF523348AF75E07C4B3BC448A600E7FADE278352CDA8BDDD71D99B81FA9D125206
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/db99a2696513030143db7f8620f68a5088188f95629b408b1110cf0689c8746e/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-11-10 01:23:59 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3om2e2lfcmbqcq63p6dcb5ukkcebrd4vmknubcyrcdhqncoiorxa._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143

2693356eb785b39160f0dd89c916020ab5ae032faaa931b30c393e93da2740e4

2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92

45cf51569314dac91762e5c1f112c4a640595239d553729f10613f9f59403e84

496312b0f2439d09765eb76ce146369b9417f59225f86c9b5f0ef8e1bb880602

74ee80ac61ce369a23feac3296a825873aa257282d5dd0f9c35c385e3d6766cf

8de3d12f5661c36ae89e13085dc5d4c6db3000e434f960eb80adece4aaae8219

911fec402f3bb42d731c4e177c322c0df8d79f680e5a18f538a3ff2e3086c2bf

a9a6a44f3eca95cc7785debebea767461798f27978628c58a06474005b8855c8

bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71

+ 3'019 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201117-jmm944thc6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.homepatioproducts.com/5bs/

Unpacked files

SH256 hash:

db99a2696513030143db7f8620f68a5088188f95629b408b1110cf0689c8746e

MD5 hash:

bfb3d9bad9ae02b9a6480dc7685c39d3

SHA1 hash:

08aafa25902b5d35254f1ded7a696793f598aa31

Link:

https://www.unpac.me/results/5b444784-db2f-48f3-8d94-e35b845c3587/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/5b444784-db2f-48f3-8d94-e35b845c3587/

SH256 hash:

cdeff06d5a8840c1738f3b97eff380f11fb149d423ca750b47467021fcd6caf2

MD5 hash:

538873d1082f3e2c15fc44bba9b0e400

SHA1 hash:

d8689336700e7c85fe3b7e74f9844b90136577fb

Link:

https://www.unpac.me/results/5b444784-db2f-48f3-8d94-e35b845c3587/

SH256 hash:

d6d4c2cec27b2b166cbaf11882ec0682f311f30e3efdcc6abf0037be54a5b334

MD5 hash:

a7941f4b552dabcf59680f54d7d20819

SHA1 hash:

f527ce6d88e76346cf2948eedaf85994101fb469

Link:

https://www.unpac.me/results/5b444784-db2f-48f3-8d94-e35b845c3587/

SH256 hash:

bf052c40bcce92be0338d610b05a6c4158eae99bd3bb6d9b0fcb8764689d1550

MD5 hash:

0a4b3da03eb4e488c99981914db0f4f4

SHA1 hash:

262a4c66c52c1e3ea834adfded72e587939d0def

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5b444784-db2f-48f3-8d94-e35b845c3587/

Parent samples :

454fd3c67c4e716c23b44e51015d263066f92812da16f4ee329b3b66c5b258d9
db99a2696513030143db7f8620f68a5088188f95629b408b1110cf0689c8746e

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample