MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46
SHA3-384 hash:	d07592d29e9904c7373a5a85b86fe533588a1b438e7bc17058fb0286e668cf3d922d5b6e1eeeb4a673a63ff95e125e4b
SHA1 hash:	d6ccaecaa833463df319b4f4da0d0a3f06bfd054
MD5 hash:	5e42805dde927e033e816a2ef5a489ba
humanhash:	fourteen-saturn-speaker-xray
File name:	f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'164'800 bytes
First seen:	2020-11-03 10:10:00 UTC
Last seen:	2020-11-03 11:57:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:5TGTdgGEiIyL8sXvqb/au4M3t74oKcmUOKS8:5
Threatray	2'803 similar samples on MalwareBazaar
TLSH	91459D3D6E8825A35277E276A0F90687FEE4618673781D4F02C32B486D4AF163E9734D
Reporter	JAMESWT_WT
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/82011/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.42493.21287.10026.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/519055

Signature

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-27 04:20:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236

Formbook

37c41a797e70fef4120a5175d93835738ed9b9b85e24c912d61c7e1f96265f51

Formbook

9384d9df16443e4eb251679698da5f349fccf08f708583955ffd84f8ff62b76f

Formbook

9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959

Formbook

a50fdfd2a59cafe23cd41227b465d44b6d00e2b14f707798d60d2637ff78ef25

Formbook

bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed

Formbook

d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879

Formbook

e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f

Formbook

e85f434810652692f3e0a0738d9156899afcbd2bed42a6f328f0092d72a1db34

Formbook

+ 2'793 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201103-g4frp4f6wx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.a1aphysicaltherapy.com/ri6/

Unpacked files

SH256 hash:

f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46

MD5 hash:

5e42805dde927e033e816a2ef5a489ba

SHA1 hash:

d6ccaecaa833463df319b4f4da0d0a3f06bfd054

Link:

https://www.unpac.me/results/bea80d60-76c1-4177-a4bf-e6e34e6d959c/

SH256 hash:

f30b79a108999b7d60034db6accf3098120f2f5b2b5379515f1897e9089d4f7a

MD5 hash:

60cc82bf5e820451c92a7ba9e4f978a0

SHA1 hash:

5c774aea78a1c9f0f114525ac3961432329ddd51

Link:

https://www.unpac.me/results/bea80d60-76c1-4177-a4bf-e6e34e6d959c/

SH256 hash:

9d12872b4cb66d0b949933c8bb33d356fdcaed15d3be6b39caf9462ceda8d5c7

MD5 hash:

69ae2acf8c011a7f1f2cbed31360453a

SHA1 hash:

6ac1871856baede3307d2d68792b624e85233b0c

Link:

https://www.unpac.me/results/bea80d60-76c1-4177-a4bf-e6e34e6d959c/

SH256 hash:

c7f102558506e1664af6c1781909964d377e909a3a276aade19843fde51bede4

MD5 hash:

588e4bb830687dccf91884fb5ef122ca

SHA1 hash:

5408f418e569738550a26b9e2810cb0df7a4de9e

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/bea80d60-76c1-4177-a4bf-e6e34e6d959c/

Parent samples :

1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90
9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/82011/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample