MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcad0e5581e86e8359e00997302140bbaa37fed5240db35291404c9b16a9fc0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcad0e5581e86e8359e00997302140bbaa37fed5240db35291404c9b16a9fc0f
SHA3-384 hash: de458b0acd7edeb71d66eff2582695397845532c9f8f7d78913ba6942a7f4bd6418653e3ff1bf0c262f0f4ae36dd2ecd
SHA1 hash: 4f3d6756a1cd7d9c1c230420c6aff13ddc4dee24
MD5 hash: b12bb3159a945df7c5944b6f4192516d
humanhash: missouri-sodium-low-florida
File name:SecuriteInfo.com.Trojan.GenericKD.45650043.22470.2448
Download: download sample
Signature Formbook
Create hunting rule
File size:795'136 bytes
First seen:2021-01-31 12:07:40 UTC
Last seen:2021-02-01 17:07:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SPepg0nwqwXBPpRJPlS+LPAmpb8yDyWAZz2xacprJ:Rpg0Ts13BlSAJV8yTuzZir
Threatray 340 similar samples on MalwareBazaar
TLSH 9F059D4773E94E88DEADE7FE475DA5E883A3F8DF8B2191652604827509C61E0361F38C
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.45650043.22470.2448
Verdict:
No threats detected
Analysis date:
2021-01-31 12:09:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91ff1455-2d0c-40fc-9379-2be397ac9799

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114931/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/594775
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcad0e5581e86e8359e00997302140bbaa37fed5240db35291404c9b16a9fc0f/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-01-30 04:45:09 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
14d9c9f0dbe84637aad5dca71f874b7fd2c11e7b476c4da126090c23b8e95536
Formbook
55ca4147c94a10c9fc3fe95d3e922546ee796f63ca3b9aad005998f1e1e2b912
Formbook
56e07ad691527a959fc383a66ee5ab1ab94fa9d74a330f8946f6fbcc8bb57533
Formbook
6a03b5abdbbe7bd614645b2619977d1a278d1411bf3fe26ab8d260ccb95d9748
Formbook
8dcbe6a1627356b6707223af14e34eaf6b9fde0c9781707b2fb6de4c9b12a742
Formbook
93db921e5b0cfe2de4485e03e756c4123c90046fe2fb83a36e60f4ccee822e28
Formbook
9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d
Formbook
adf3f47687c15c048c4c909e95c5c2c17187259832ebbab51b6a0b2c5e5f588e
Formbook
c7a2fcc718b3adeedee6e215f17799f22662a66c5c8e08af94ea641e9e909b8d
Formbook
cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
Formbook
+ 330 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210131-w9wz2s95l2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.carolineconsultora.com/b2w3/
Unpacked files
SH256 hash:
fcad0e5581e86e8359e00997302140bbaa37fed5240db35291404c9b16a9fc0f
MD5 hash:
b12bb3159a945df7c5944b6f4192516d
SHA1 hash:
4f3d6756a1cd7d9c1c230420c6aff13ddc4dee24
Link:
https://www.unpac.me/results/f1fdd5ef-07d0-4150-ac4f-09c8b39fc353/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcad0e5581e86e8359e00997302140bbaa37fed5240db35291404c9b16a9fc0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe fcad0e5581e86e8359e00997302140bbaa37fed5240db35291404c9b16a9fc0f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/985036/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114931/

Comments