MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1aa4ffcbf7f690cee6060e9167c395bffe594858bfcc2bdd772a0edf4a23721. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1aa4ffcbf7f690cee6060e9167c395bffe594858bfcc2bdd772a0edf4a23721
SHA3-384 hash: 835df7f2d488c684440c7ae363390cd0125b192c5bbd56ce334643b0df41665a0c817486b687bb8b8edec1002340e6d5
SHA1 hash: e649adcfb18298cd0f2ebec356b4d0242e0ce3e9
MD5 hash: 37438184a62b3254cee88cc3cf31ec85
humanhash: fourteen-avocado-alaska-oscar
File name:own.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:401'408 bytes
First seen:2020-08-05 07:35:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:v05BOkd8pDXJv00FI4iZDbR9Vz2ds+lvkfK:vaBgpDXJslZDdrz2j
Threatray 5'126 similar samples on MalwareBazaar
TLSH 3784E00C36A0954AF17E1E3F5D311193DE26F81FEA22D24B69752178097E68CBCB0FA1
Reporter JAMESWT_WT
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39103/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410394
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1aa4ffcbf7f690cee6060e9167c395bffe594858bfcc2bdd772a0edf4a23721/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 07:37:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gve77f7p5uqz3tamdurm7bzlp76lfefrp6mfpoxokqo35fcg4qq._file
Verdict:
malicious
Similar samples:
0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24
Formbook
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
Formbook
15ea783eaed5ea26907b2c782e5e201a56f2fe0a76005bb42a0b1ae72fe05c9f
Formbook
22366b7c6e51e58b855a91cc558885c438a34deaa588af13e0601586686e18f3
Formbook
404f88f8e5d2270cbab30c8e9de8d30aa8054939580a6ef40f41df59cc1f90a8
Formbook
7eb341c011c4ea364ef927cfc57ac980111e9c49012834c3760896fec7f04d52
Formbook
889352094880e37d9fb8d07ca965839f595ac5b821996f4290149d1815981a7b
Formbook
d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9
Formbook
d61447d5653bc8e81c91e487864e2ea56fe6700fa720e4b6b07040c9b50db868
Formbook
dfb621588ae460ad55e4c5df59560023c7a87327c85f23b6fb9ee322c6488eec
Formbook
+ 5'116 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200805-9c5x5jshen/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f1aa4ffcbf7f690cee6060e9167c395bffe594858bfcc2bdd772a0edf4a23721

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f1aa4ffcbf7f690cee6060e9167c395bffe594858bfcc2bdd772a0edf4a23721

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/421780/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/420693/
Cape
Cape
https://www.capesandbox.com/analysis/39103/

Comments