MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f626ac44e4d6711e2b2a128fbde9bebf2a8b7c66d7161376993d3252c16dd083. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f626ac44e4d6711e2b2a128fbde9bebf2a8b7c66d7161376993d3252c16dd083
SHA3-384 hash: 1fcd70f350da5abcc91f206c88d842ec7acfb127e455a7a549589f70f48db144f87e511bc3b46ce0bea1c3dc1fe09d84
SHA1 hash: 9986548c9971388c87b20e87f72d739fbed47e87
MD5 hash: 5e024d6bcc07e3ee550a8d303d26137d
humanhash: ink-sixteen-carbon-eight
File name:002.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:396'800 bytes
First seen:2020-07-22 15:14:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:BjqRXoFrmYWPUm2GhNAr/lvlfX6rGiUrV43NBRihmXiadFS1QW6kjj3CISnm:B2RXoFfWPUm2iNSeKiUrQNBNSgYQLQj
Threatray 4'910 similar samples on MalwareBazaar
TLSH 8384CF10FBF407DADB5947B9E06155509B79A60E63EAE70D2B82F1EC1932B814723F23
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31247/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/395213
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249921 Sample: 002.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 92 31 www.poerspeak.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected FormBook 2->43 45 2 other signatures 2->45 11 002.exe 1 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\002.exe.log, ASCII 11->29 dropped 14 RegSvcs.exe 11->14         started        17 RegSvcs.exe 11->17         started        process6 signatures7 53 Modifies the context of a thread in another process (thread injection) 14->53 55 Maps a DLL or memory area into another process 14->55 57 Sample uses process hollowing technique 14->57 59 Queues an APC in another process (thread injection) 14->59 19 explorer.exe 14->19 injected 61 Tries to detect virtualization through RDTSC time measurements 17->61 process8 dnsIp9 33 www.floridapostpartum.net 19->33 35 www.fiskalni-uredjaji.com 19->35 37 www.9y-game.com 19->37 22 svchost.exe 19->22         started        process10 signatures11 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f626ac44e4d6711e2b2a128fbde9bebf2a8b7c66d7161376993d3252c16dd083/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 15:14:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2ad145ebeae4ff20eeb893b16658fe43d7557f30c746edc355a5dceb393bf8bb
Formbook
37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728
Formbook
38ac4538725c959e9c2b280e4838ed511a2d4d4339a2be5ba91fe1fb5ec76545
Formbook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
Formbook
8114e5e30720952dbf0515a5f3801c7c0ef51844758e25b100b768a29c01155a
Formbook
8b379923380c07a3447ec8dcba32e4522102f3e5a9b40ce74afd32bcc1d074e6
Formbook
9bf2e6afa0656c8129746c95784146ba85f15ecf46081644192e5bbfd5899144
Formbook
bef21badc9c82be3a2446c61d67213addd54b665d17c4b75b64ec8d9558034f5
Formbook
c3aa64f063330b257fdd6f3d0dd8479b3a4877140b771b4ccf3cae4e10ffe4e9
Formbook
ea6bf70c8d6a8518f7429d86a52199a64476182e00c033cfba597a0ce7a09352
Formbook
+ 4'900 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-s18bcv48k2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/f626ac44e4d6711e2b2a128fbde9bebf2a8b7c66d7161376993d3252c16dd083

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/31247/

Comments