MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecc540938addc1a440ef6ceb7714a0b45153c04c28df4395e3de18181439341a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	ecc540938addc1a440ef6ceb7714a0b45153c04c28df4395e3de18181439341a
SHA3-384 hash:	852466d85daad2b02b9fd361bd1e22d8336f357e48c78b0cea58265eefe83b468ea9692790f6d56f602607ae37f88c58
SHA1 hash:	328ce667e6d7fff59c3f27c0fcda338159c37c6f
MD5 hash:	81b0bdef857aa70ba8bfe0cb6d02f727
humanhash:	six-hotel-pip-emma
File name:	SecuriteInfo.com.generic.ml.23755.9413
Download:	download sample
Signature	Formbook Create hunting rule
File size:	850'944 bytes
First seen:	2021-04-25 03:38:34 UTC
Last seen:	2021-04-26 12:42:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:7oCiox3nKw1FxA+VD29Kg1ClZDfCv/eApYBeS89BtnAxO9cu0RzpYkgdxcmz:yox3nT/xAiDrg6Dk1lAxTRzSkg7c
Threatray	4'793 similar samples on MalwareBazaar
TLSH	42050222A9A88515CB7E033D54B5000053F9AF86A957F31D3E87B4ED3EF6382892765F
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.generic.ml.23755.9413

Verdict:

Malicious activity

Analysis date:

2021-04-25 03:40:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b18887cc-0e63-412a-a01a-3a1a318a2ed0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/144041/

Detection(s):

SecuriteInfo.com.generic.ml.23755.9413.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/696894

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ecc540938addc1a440ef6ceb7714a0b45153c04c28df4395e3de18181439341a/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-04-25 01:31:44 UTC

AV detection:

16 of 47 (34.04%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5tcube4k3xa2iqhpntvxoffawrivhqcmfdpuhfpd3ymbqfbzgqna._file

Verdict:

malicious

Formbook

03805a08ddc03ad125ae1566868e0ccde7965350d760dc212a224ab10520a2d8

Formbook

494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535

Formbook

625140ec60caaae03895c18ad400c65f5d5b15f55c7a01eb419a4215d295a6ee

Formbook

70def7c02d96cb8aab6702e0d6f32c72d7fafbd2b883e09007de9fe204cd3f59

Formbook

a48a4f0d917d131353d46e23144550e83a39b26ab311287e4cdff30c009d5f66

Formbook

a64fb325fa611518c20644dfbe5728eb7767caeb63df08c4935dec5fc4ffe988

Formbook

bfa5c7ef6ac526946d60e2ebcb22c2f9e3ffeec8c9d42bc6d54a6d3373815034

Formbook

e069440cfd88504140f6315acc7174bd0dd961f070ccbf9b9b82c2e01af8113d

Formbook

fb17b85aa2aeaa59cb6db3e1c6eb68f83a570b5de3f10d3b09dd47a4aebdedea

Formbook

+ 4'783 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210425-kcy18z9wzj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://w��5 �@q[*��S=��m

Unpacked files

SH256 hash:

e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39

MD5 hash:

efb0de4397ea61e17d262e278b53ff86

SHA1 hash:

727fdf2ceb13262d56bdda24a02564fb3e80c8b0

Link:

https://www.unpac.me/results/4cd623d2-12a7-4c59-a31b-02a079db50e3/

SH256 hash:

ecc540938addc1a440ef6ceb7714a0b45153c04c28df4395e3de18181439341a

MD5 hash:

81b0bdef857aa70ba8bfe0cb6d02f727

SHA1 hash:

328ce667e6d7fff59c3f27c0fcda338159c37c6f

Link:

https://www.unpac.me/results/4cd623d2-12a7-4c59-a31b-02a079db50e3/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/144041/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample