MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 024cb5cb433bfd8e1b5e55016311bd477800b58b662fbaea35af605669c61fa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 024cb5cb433bfd8e1b5e55016311bd477800b58b662fbaea35af605669c61fa4
SHA3-384 hash: 69060119d67a7d2aceaa99066eb54d4b09098ff09654cc71df6227d794d12df4f6f73cf1805c627fcc4184401ab38bf7
SHA1 hash: f16d4f551d089b4332d1d373797e714709bfa71d
MD5 hash: b6b36dae4c1320985cf635679b8c3187
humanhash: eight-network-hotel-red
File name:IMG-20201028-WA000332.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:78'336 bytes
First seen:2022-06-08 15:30:08 UTC
Last seen:2022-06-08 16:39:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 768:+Gfh4bodkNdVxf6666666oVZPzSNxWP9VUAKQ/e+/5fYxNSk6666666O2+/y:Dfh4bkkT
TLSH T1D373EC7260F2A5D5FAE99EB3AC158184BEEB5C18CD12801EE01971F51673BC8C25A4FF
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG-20201028-WA000332.exe
Verdict:
No threats detected
Analysis date:
2022-06-08 16:33:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4d4bd4e5-016e-47ce-9a82-b0b28d11cfa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277831/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.16184.27990.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Forced system process termination
DNS request
Sending an HTTP GET request
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware obfuscated packed
Link:
https://www.filescan.io/uploads/62a0c0f94c4e28fcf3ba421c/reports/2f9a0cf8-ba4b-4dcc-8452-ab0b49f32c5e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80639b34-690f-4d56-9262-00e5285bf746
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009232
Signature
.NET source code contains potential unpacker
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 641729 Sample: IMG-20201028-WA000332.exe Startdate: 08/06/2022 Architecture: WINDOWS Score: 100 95 Snort IDS alert for network traffic 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->99 101 7 other signatures 2->101 10 IMG-20201028-WA000332.exe 16 7 2->10         started        process3 dnsIp4 75 ngcgas.com 148.66.137.120, 49743, 49757, 49775 AS-26496-GO-DADDY-COM-LLCUS Singapore 10->75 67 C:\Users\user\AppData\Roaming\...\Rcwhsii.exe, PE32 10->67 dropped 69 C:\Users\user\...\Rcwhsii.exe:Zone.Identifier, ASCII 10->69 dropped 71 C:\Users\...\IMG-20201028-WA000332.exe.log, ASCII 10->71 dropped 14 MSBuild.exe 10->14         started        17 cmd.exe 1 10->17         started        19 cmd.exe 1 10->19         started        file5 process6 signatures7 105 Modifies the context of a thread in another process (thread injection) 14->105 107 Maps a DLL or memory area into another process 14->107 109 Sample uses process hollowing technique 14->109 111 2 other signatures 14->111 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        27 timeout.exe 1 17->27         started        29 conhost.exe 19->29         started        process8 dnsIp9 73 www.kingdazzlejoy.com 21->73 103 System process connects to network (likely due to code injection or exploit) 21->103 31 Rcwhsii.exe 14 4 21->31         started        35 wlanext.exe 21->35         started        37 Rcwhsii.exe 3 21->37         started        signatures10 process11 dnsIp12 77 ngcgas.com 31->77 81 Multi AV Scanner detection for dropped file 31->81 83 Machine Learning detection for dropped file 31->83 85 Writes to foreign memory regions 31->85 87 Injects a PE file into a foreign processes 31->87 39 cmd.exe 31->39         started        41 cmd.exe 1 31->41         started        43 MSBuild.exe 31->43         started        89 Modifies the context of a thread in another process (thread injection) 35->89 91 Maps a DLL or memory area into another process 35->91 93 Tries to detect virtualization through RDTSC time measurements 35->93 45 cmd.exe 35->45         started        79 ngcgas.com 37->79 47 cmd.exe 37->47         started        49 cmd.exe 37->49         started        51 MSBuild.exe 37->51         started        signatures13 process14 process15 53 conhost.exe 39->53         started        55 timeout.exe 39->55         started        57 conhost.exe 41->57         started        59 conhost.exe 45->59         started        61 conhost.exe 47->61         started        63 timeout.exe 47->63         started        65 conhost.exe 49->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/024cb5cb433bfd8e1b5e55016311bd477800b58b662fbaea35af605669c61fa4/
Threat name:
ByteCode-MSIL.Trojan.Gasti
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 15:31:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajglls2dhp6y4g26kuawgen5i54abnmlmyx3v2rvv5qfm2ogd6sa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
masslogger
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:st80 loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220608-sx11mahdd5/
Behaviour
Delays execution with timeout.exe
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
024cb5cb433bfd8e1b5e55016311bd477800b58b662fbaea35af605669c61fa4
MD5 hash:
b6b36dae4c1320985cf635679b8c3187
SHA1 hash:
f16d4f551d089b4332d1d373797e714709bfa71d
Link:
https://www.unpac.me/results/0e2a92d9-cd20-4441-9c24-37e13794fe0e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/024cb5cb433b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/024cb5cb433bfd8e1b5e55016311bd477800b58b662fbaea35af605669c61fa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 024cb5cb433bfd8e1b5e55016311bd477800b58b662fbaea35af605669c61fa4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/277831/

Comments