MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2b81fe418dd23ca1db00b67c5f9913061c927132b39c242bb638b8358ffd9fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2b81fe418dd23ca1db00b67c5f9913061c927132b39c242bb638b8358ffd9fa
SHA3-384 hash: 084550c45cfead43883083a9a4b671d955945d9cec839283bc928b387d78601829849e93167776a79ce74eac3b49b019
SHA1 hash: e03e52c064ad9dc4ef2a18f327b0dce8852f20b2
MD5 hash: a1fe6cc921fb6ac3c10d11c4ed1a0b01
humanhash: mississippi-helium-autumn-glucose
File name:SecuriteInfo.com.Mal.Generic-S.9750.29166
Download: download sample
Signature Formbook
Create hunting rule
File size:979'456 bytes
First seen:2020-11-23 11:51:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:6cRbn32QsSyXbSE3swgS3D8RbkOQof+a:6a3/QXbSE3FN3CbpfV
Threatray 3'001 similar samples on MalwareBazaar
TLSH B125D031B7C85FA8F07E9778A425152483F4F90BE721DA4DBDD914CD4862F88CA27B26
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/545041
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e2b81fe418dd23ca1db00b67c5f9913061c927132b39c242bb638b8358ffd9fa/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 09:00:42 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4k4b7zay3ur4uhnqbnt4l6mrgbq4sjytfm44eqv3mofygwh73h5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07b296fafcefb5dbbf7148a96fc968664011aca0070b72732fb00886fbea9741
Formbook
0d271903774ae9467d80cad6fcaec4d2ea4653b8eb4c28e0a1c7dbe0849ccd01
Formbook
353e4fd91fe618f5c22c9cae00e7575e9b1914576ff7e332d03ca3e9f7dbbbbc
Formbook
3f1d00cc832bad31567399df69c06c23dbdc989e18178efc599ca6574d190e34
Formbook
8f06b49b371c6b257b716689b767ebf4bbc75391d0cf152b9bbe498ef55d017c
Formbook
a9a6a44f3eca95cc7785debebea767461798f27978628c58a06474005b8855c8
Formbook
b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b
Formbook
bfb2fd4412e9cd136a794f61436d597d7d58fb4fd842509dabe7a70344e4fd97
Formbook
c59292352ccbebbc63ea3c740a7981594b6e8dbea866e1c1c8f66b0a0aa61eba
Formbook
e84b45b4e30dbdd8025a76075af204369ea5b1c638b7c15ec7998600936ce181
Formbook
+ 2'991 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201123-vngx8lnt2a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.glorioustoday.com/f6p2/
Unpacked files
SH256 hash:
e2b81fe418dd23ca1db00b67c5f9913061c927132b39c242bb638b8358ffd9fa
MD5 hash:
a1fe6cc921fb6ac3c10d11c4ed1a0b01
SHA1 hash:
e03e52c064ad9dc4ef2a18f327b0dce8852f20b2
Link:
https://www.unpac.me/results/228040ec-4a5e-4f5d-8ade-a65104bbbed2/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/228040ec-4a5e-4f5d-8ade-a65104bbbed2/
SH256 hash:
4ad225a97a7f7bd99bd5b07c1a5d59332318dc37be4c87bcefd98aa90146a657
MD5 hash:
facb34513373e86879a062832bcb268d
SHA1 hash:
143fd5b64cc65c5644b8a206dd9fc4bf39dba919
Link:
https://www.unpac.me/results/228040ec-4a5e-4f5d-8ade-a65104bbbed2/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/228040ec-4a5e-4f5d-8ade-a65104bbbed2/
SH256 hash:
6f2f9f8690b6892f27a489dfb79166c6fd181e35c0f1c42be948a7a9447755ba
MD5 hash:
8c396c7c91e2d54be46f546c05052bb4
SHA1 hash:
882b1f46e1858fcd85ccd033898a57c5c2339408
Link:
https://www.unpac.me/results/228040ec-4a5e-4f5d-8ade-a65104bbbed2/
SH256 hash:
5964883b2277d80860c7dfdd117ba5e3e4929d1d8576ac54e54e6b274f0393d6
MD5 hash:
3511e1055cf46791aa9e037ff3f4e428
SHA1 hash:
831056d5215e2daab3ac1226e3db2e1b7abc89d7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/228040ec-4a5e-4f5d-8ade-a65104bbbed2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2b81fe418dd23ca1db00b67c5f9913061c927132b39c242bb638b8358ffd9fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e2b81fe418dd23ca1db00b67c5f9913061c927132b39c242bb638b8358ffd9fa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/845865/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105258/

Comments