MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 035c33a60853bf5ee2b470e1c7d0e00a23d13a6b4d19afb46d6fe2335b468a16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 035c33a60853bf5ee2b470e1c7d0e00a23d13a6b4d19afb46d6fe2335b468a16
SHA3-384 hash: 77113a33391141fd232e12fbc9ec6acc7c1a668c2f1c59e6ee31b0f523cdee8c9d99bf9718c5e9e747bcdb3b16a914f3
SHA1 hash: 4721a8a6723c31cac8a4a49b6ad6fdcd1d0c6280
MD5 hash: 920ee3d40083833959f5a40f068e46ac
humanhash: kentucky-edward-vermont-gee
File name:PRrWYAIHW9DNMIh.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:972'288 bytes
First seen:2021-04-20 06:00:38 UTC
Last seen:2021-04-20 07:13:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:l5kQJeakIWx+CaZshNKxqRRRRRGt/DteVauy:QQ3DCaehNpRRRRRGHeVD
Threatray 4'742 similar samples on MalwareBazaar
TLSH 94256B5C725075DEDA9BD2758BA49C64EB503C77430B820BE02735BAA93CC87DF160BA
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRrWYAIHW9DNMIh.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-20 06:20:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/299e2b1a-b44e-4c90-ae7f-43f5fc318e71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.671.25302.1867.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/688295
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 393094 Sample: PRrWYAIHW9DNMIh.exe Startdate: 20/04/2021 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 6 other signatures 2->44 10 PRrWYAIHW9DNMIh.exe 3 2->10         started        process3 file4 30 C:\Users\user\...\PRrWYAIHW9DNMIh.exe.log, ASCII 10->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 PRrWYAIHW9DNMIh.exe 10->14         started        17 PRrWYAIHW9DNMIh.exe 10->17         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 32 www.fayval-williams.com 74.220.199.6, 49726, 80 UNIFIEDLAYER-AS-1US United States 19->32 34 www.danarett.com 172.96.185.159, 49724, 80 LEASEWEB-APAC-HKG-10LeasewebAsiaPacificpteltdHK Canada 19->34 36 www.aglbfm.com 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 raserver.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/035c33a60853bf5ee2b470e1c7d0e00a23d13a6b4d19afb46d6fe2335b468a16/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anodhjqiko7v5yvuodq4puhabir5cotljum27ndnn7rdgw2grila._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
Formbook
4d7785dcd99beca572613788bc8b0713ddda6da0c8df321b1402bc38e6880f88
Formbook
5aa64b3eef03b9c837e37102be20cb4f537c524b2a2531bf1bf6dd6a02461d7e
Formbook
5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Formbook
8503c4ec4121647a225068e8defe8ff2e4cfc61a94dcd3c261ec5acf38dfa73b
Formbook
8ac1fc19367861f3a749d801300f554148e36a0e8a4f4cce3c5d3e4de43e4279
Formbook
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
Formbook
b69927fbfd7eb038b59aa9b7e9f49cb02d127d48fcf6517e65a379e982e806bc
Formbook
d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
Formbook
dd44eb26a328f1e86823339666e1b1237ad7b1d880694c1b8fb8164b931aa512
Formbook
+ 4'732 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210420-aaskyh6ptx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.unknowndjteam.com/hsd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/035c33a60853bf5ee2b470e1c7d0e00a23d13a6b4d19afb46d6fe2335b468a16

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments