MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e78b5071209858cdcb5ce02f7df3c3fb857088f7088b964791d289c789451e67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e78b5071209858cdcb5ce02f7df3c3fb857088f7088b964791d289c789451e67
SHA3-384 hash: 2455bebf8118b3b7599cac79903299f495b2494c46a81276d2835e4f3a6d13bc84a4d3b4d59fbbb44e0914e8e4c54388
SHA1 hash: 5fb2b129bc206d032e3adcc6bc948d07373b9340
MD5 hash: 44150226048cd14567ce9874c0b549fc
humanhash: hydrogen-video-table-red
File name:SecuriteInfo.com.Trojan.Siggen11.48004.19433.19624
Download: download sample
Signature Formbook
Create hunting rule
File size:146'392 bytes
First seen:2020-11-23 22:53:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 3072:QW9c4cYGyGLeeV8DsqEPIlSPLVv4l3S1ucvp:Qwc1YGyoe2UsSMhyTwp
Threatray 3'451 similar samples on MalwareBazaar
TLSH 2DE3FA2973DB4C75FB7606393631E2835BF1B1933802C2286DE45DDAC8D6A424B36F5A
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Sending an HTTP GET request
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/545614
Signature
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e78b5071209858cdcb5ce02f7df3c3fb857088f7088b964791d289c789451e67/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 18:58:31 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
124bbabecb8fc90f529eabfbd3aec4e4604782ca267c954ecf9cf38f48b43aa4
Formbook
1f58e0127c25c0a356436a3c78bcf05de2afacff0cba41275972d25a4be0bbfd
Formbook
5dea433f33054ac40c2a4260902db354a5c6f8497b1aa266955ebde6a9c289d4
Formbook
67b7e3da530df1ab1e868f9c0c1a5793f5b4a5b4fa69610e5e1d186a675c0c85
Formbook
70cd238b3f80f507ac99f8d355b5d461627e8a61ddd7ffba252296fea2619978
Formbook
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
Formbook
bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4
Formbook
e3114262b2bf20de2c2b95534ba7c5ce497f894a3ecd99005f698a853c7f3b3e
Formbook
e4badaf86c0f22c6b31c97f661ba5af3f757697e7493c2e750a813173dec2273
Formbook
f4e7a822d33c454237c1d3d8352ca27953875dafcc0bb13ec52c649a8e0e9535
Formbook
+ 3'441 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201123-rgesmlacfn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.pethgroup.com/mfg6/
Unpacked files
SH256 hash:
e78b5071209858cdcb5ce02f7df3c3fb857088f7088b964791d289c789451e67
MD5 hash:
44150226048cd14567ce9874c0b549fc
SHA1 hash:
5fb2b129bc206d032e3adcc6bc948d07373b9340
Link:
https://www.unpac.me/results/c0f743d3-3b15-467e-ac9d-887b8ce99256/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e78b5071209858cdcb5ce02f7df3c3fb857088f7088b964791d289c789451e67

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e78b5071209858cdcb5ce02f7df3c3fb857088f7088b964791d289c789451e67

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/847208/
  
Delivery method
Distributed via web download

Comments