MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA3-384 hash: 7262367eea3f6e85491217bd68b98385d6e7c92758179715452a75b3ffcc12965e8390d5735200e9a29534e0f3d5caee
SHA1 hash: f7ff40a1901d51dd6222b420bbece575b46b2cd2
MD5 hash: e538f67d529d672c55304f3c9ad05392
humanhash: uncle-india-potato-comet
File name:taskshostw.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:251'392 bytes
First seen:2023-01-20 19:35:21 UTC
Last seen:2023-03-17 12:48:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:eTIu4ZQ8M2A1vA7m5+C6ZoEHBAnpK37nXz8o1008Q75wPsoB74tyJhvSK/KkMc/X:LHA1vweOR8CTwPnLKkM/u
Threatray 4'019 similar samples on MalwareBazaar
TLSH T1F9347D4027E8CA1FDA7F17B6F4A122106775E14B9162EB8AB88C14FD1B5374099227BF
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter Chainskilabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
taskshostw.exe
Verdict:
Malicious activity
Analysis date:
2023-01-16 18:55:06 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/10f8fac3-faa5-4fcf-abba-f50734c06013

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355080/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a service
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a file
Creating a window
Searching for the window
Creating a file in the %AppData% directory
Adding an access-denied ACE
DNS request
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fingerprint packed
Link:
https://www.filescan.io/uploads/63caed232b351a3d0ea726d3/reports/51b53630-a4fe-4c07-80ee-35215bd200fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a62493e9-7d8a-44bc-a334-2f755712b823
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155950
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 788681 Sample: taskshostw.exe Startdate: 20/01/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 8 other signatures 2->56 7 taskshostw.exe 1 2->7         started        11 taskshostw.exe 14 5 2->11         started        14 taskshostw.exe 4 2->14         started        16 2 other processes 2->16 process3 dnsIp4 36 C:\Users\user\AppData\...\taskshostw.exe.log, CSV 7->36 dropped 58 Multi AV Scanner detection for dropped file 7->58 60 May check the online IP address of the machine 7->60 62 Machine Learning detection for dropped file 7->62 70 2 other signatures 7->70 44 2.tcp.eu.ngrok.io 3.126.37.18, 10954, 49704 AMAZON-02US United States 11->44 46 39.186.7.0.in-addr.arpa 11->46 48 2 other IPs or domains 11->48 38 C:\Users\user\AppData\...\taskshostw.exe, PE32 11->38 dropped 40 C:\Users\user\AppData\...\taskshostw.exe, PE32 11->40 dropped 64 Protects its processes via BreakOnTermination flag 11->64 18 schtasks.exe 1 11->18         started        42 C:\Users\user\AppData\...\taskshostw.exe, PE32 14->42 dropped 66 Bypasses PowerShell execution policy 14->66 68 Adds a directory exclusion to Windows Defender 14->68 20 cmd.exe 1 14->20         started        22 powershell.exe 19 14->22         started        24 powershell.exe 18 14->24         started        file5 signatures6 process7 process8 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 timeout.exe 1 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 08:06:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjgbpmez3daj3nf5qk266pkbz2tboj5eqcv72vvjimqi3bmovdhq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
12d3005be0691cdcce3704bc50fe8b50d88e930f8cb65e73e015180c7c211b6d
Formbook
1b1172500c6e1e1607b0b0bce4ec74f8b65ffafcd492d8cd2886a7b7f20efaa4
Formbook
314fe41c4de11eb7270e04a04b40a267109da6b1ba469e4604a0e883b0d87fb3
Formbook
334ccf9e377cf841f14c6acee3f5f9d9a207a81db24c3e5f76e86a0888a7e849
Formbook
406a89dab9ccaf9c5ddc064d3f19875259de9564f93a240c7123e53aadfd6006
Formbook
5b7d20ddd066d63ad0751c3dd989d32a91225ac4e2793fe10e1d7f08279d405d
Formbook
6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4
Formbook
a5f47b1b2efcf8bd7e36a072941fb9ee0ce780e6f410d6c85c503ccea24d29e6
Formbook
db5964ee570a1cbcbd1a0c7c8a7e4aadb44f64c27061ab25fde24a7f21d73f45
Formbook
fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997
Formbook
+ 4'009 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230120-ya81lshe76/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
MD5 hash:
e538f67d529d672c55304f3c9ad05392
SHA1 hash:
f7ff40a1901d51dd6222b420bbece575b46b2cd2
Link:
https://www.unpac.me/results/b9122b3a-a0cb-4398-9f22-f784e84a35ef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/124c17b099d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

(this sample)

anyrun
any.run
https://any.run/report/124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf/10f8fac3-faa5-4fcf-abba-f50734c06013
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/355080/

Comments