MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71
SHA3-384 hash: 861bf4648b8e3e4bbab0a9337b7fb767bf45b71730afe8cb9e22cd60541057cd6421ab61f6509666c364504ac3e6c715
SHA1 hash: 8fa22f3f426216aa7f1301d127582aa7434c9d4b
MD5 hash: 837fd128d246ccb07647515dd273f4f9
humanhash: april-finch-avocado-low
File name:SecuriteInfo.com.Trojan.PackedNET.475.29445.3816
Download: download sample
Signature Formbook
Create hunting rule
File size:860'160 bytes
First seen:2020-12-04 10:06:06 UTC
Last seen:2020-12-04 10:56:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UZ/fiJLRc2evo2Ursov0KT4zHsyYgH/PT134slbbHl2qPVGNbTuMuKBD7hpvA/N:JAo/s7HsynTB4ATST0sDdIN
Threatray 3'139 similar samples on MalwareBazaar
TLSH D5058E39AE492A25F47A5B3EC5E01051E2AEAF83A707DC7D38F121CD0773BC599D052A
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.475.29445.3816
Verdict:
Suspicious activity
Analysis date:
2020-12-04 11:05:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8b6b3c9c-de47-4003-9ef4-3153b22f510e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106746/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.475.29445.3816.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/555521
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-04 10:07:05 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
013592f262bbf69d60ba1a3fe783e0cfce5470b114752148b267884d5993db44
Formbook
187785c7830aff67dd03a3bf3a067e9b760cb76f7367ee42c8e4b9c92b78d2e2
Formbook
201e2fd48dfdd75ee8abf1ad910deb3ffa1784ae0229fe7588b2b54119409aee
Formbook
2e01e0d0ed8a638d461d7b2355e9c5c370f3698b2b75bb3e60341179c7116ad3
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
94bae4886fe8942d256a84af00ae297e560b1711272c0d7b05d89f98c8067890
Formbook
9728048925e7faf422c4d7bacfaa90fae8bdcc9efad8a0868b456f3d4b213d09
Formbook
9f1f45b03b4f7909d0bbd7aa98895a0fcd314db228a7a233512c857ad86e7e86
Formbook
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
Formbook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
Formbook
+ 3'129 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201204-ha883kdmbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mommabearmoney.com/et2d/
Unpacked files
SH256 hash:
fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71
MD5 hash:
837fd128d246ccb07647515dd273f4f9
SHA1 hash:
8fa22f3f426216aa7f1301d127582aa7434c9d4b
Link:
https://www.unpac.me/results/a4ecf9bd-410c-4d78-908a-5782bb4186b8/
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/a4ecf9bd-410c-4d78-908a-5782bb4186b8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb9ff8cbde50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/888038/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106746/

Comments