MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8df5858f489a1dd9f113eda4dbe0aded3fd5a128dd32e991e94c5a2b7623ba64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8df5858f489a1dd9f113eda4dbe0aded3fd5a128dd32e991e94c5a2b7623ba64
SHA3-384 hash: d9cb5bb59c4ece54a9bd8ba52e93097d2555dc762a7843474d7d3947d08c52a4bc48fac22d9e00da9c25d53d19141a2d
SHA1 hash: 6f9f76730eb11f6ef42fd6ad210f01c633069bc4
MD5 hash: 41fc354c5ad49ad6750c5cc5348cefcc
humanhash: indigo-spaghetti-white-hotel
File name:41fc354c5ad49ad6750c5cc5348cefcc.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:345'851 bytes
First seen:2020-07-29 12:06:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:3PCganNInU6GyDFDRhxXpi2j+C4lvj/3uC3z1c88pR2TruNElCYrr9gr:NanCU61lRz5iM4Z3Vz15SOrYYr6r
Threatray 5'568 similar samples on MalwareBazaar
TLSH 0C7412183100D8E3DAE5867018759D3FDBA8AE7C171F078787947E88F9B74069D1F662
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34869/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/402513
Signature
Contain functionality to detect virtual machines
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253631 Sample: bDdrpjN7Vp.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 92 38 g.msn.com 2->38 40 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->40 54 Malicious sample detected (through community Yara rule) 2->54 56 Yara detected FormBook 2->56 58 Modifies the prolog of user mode functions (user mode inline hooks) 2->58 12 bDdrpjN7Vp.exe 22 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\MicrosoftVsaVb.dll, PE32 12->32 dropped 34 C:\Users\user\AppData\...\CMAccept.exe, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\...\Renovator.dll, PE32 12->36 dropped 74 Contain functionality to detect virtual machines 12->74 16 rundll32.exe 12->16         started        signatures6 process7 signatures8 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->48 50 Hijacks the control flow in another process 16->50 52 Maps a DLL or memory area into another process 16->52 19 cmd.exe 16->19         started        process9 signatures10 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->60 62 Modifies the context of a thread in another process (thread injection) 19->62 64 Maps a DLL or memory area into another process 19->64 66 3 other signatures 19->66 22 explorer.exe 19->22 injected process11 dnsIp12 42 www.romanipaints.com 22->42 44 www.megaworldmc.com 22->44 46 www.3x3alliance.com 22->46 25 cmmon32.exe 22->25         started        process13 signatures14 68 Modifies the context of a thread in another process (thread injection) 25->68 70 Maps a DLL or memory area into another process 25->70 72 Tries to detect virtualization through RDTSC time measurements 25->72 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8df5858f489a1dd9f113eda4dbe0aded3fd5a128dd32e991e94c5a2b7623ba64/
Threat name:
Win32.Trojan.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 02:28:50 UTC
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rx2yld2itio5t4it5wsnxyfn5u75liji3uzotepjjrncw5rdxjsa._file
Verdict:
malicious
Similar samples:
02b9bc3c8ac2cea4764860f49e6be78b8fad956c7bbf28d4260671bb5260568d
FormBook
06cedd3e446db41cd53877ce7b7c24c31bc034260d7de377c01bb06e1ea9add0
FormBook
07f21e8acc3843aa44347b928c180902577a40850a8c671065920cb81ea8beb3
FormBook
4601b57fb9acf7117686773d8616efcac498591a6b650acc9a4f96871e9694b5
FormBook
468f9abc380cedf17528958eb0ccd8e42e100e05ecb250f31a11d3f946765990
FormBook
52ea3c1f51eb3a8920e2895ebe7d54ed9b010407775434da9c47fdeceae7af84
FormBook
84b4040d764a758414d6e7d913161c97846e563eb18e3497f207670f9d239bc8
FormBook
b10488bbd95fcf6ddad889eaefb6a7585a41071d24062bd0894ce6a5fc6eab87
FormBook
e661bc38b20992b846232fd3d6cbe914bb46ae68b39ce7e7a348be2ba5261851
FormBook
f69e7749b6798b4c4f258eebbedc77992536cc24bef9d1bf3d68315ad16abcf0
FormBook
+ 5'558 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200729-epkbvy8xss/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8df5858f489a1dd9f113eda4dbe0aded3fd5a128dd32e991e94c5a2b7623ba64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FormBook

Executable exe 8df5858f489a1dd9f113eda4dbe0aded3fd5a128dd32e991e94c5a2b7623ba64

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/34869/
  
URLhaus
https://urlhaus.abuse.ch/url/421374/
  
Delivery method
Distributed via web download

Comments