MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
SHA3-384 hash: cd37c1f28ad21c51b0bf0c9fd9547c3cb254b7574bf91e2da8973244bf579ff919d741cf017b10921a2daca7c7c3294d
SHA1 hash: f79f58bc3142b59d0d8669595a01770bdf5486ff
MD5 hash: 429bba6dbe159c300679509be3085665
humanhash: illinois-river-cold-table
File name:429bba6dbe159c300679509be3085665.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:599'552 bytes
First seen:2020-11-20 07:27:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:K29Z0ZfOKYJqFwpzpYTnMS3hrrnplI5GJriD:f9WtZY7wTnT9npu5G0
Threatray 2'989 similar samples on MalwareBazaar
TLSH DAD4129EA3485732D0AE11FB60B141CA02F15163E623EB97BDCCE17E547274DBE2126E
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/544003
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321100 Sample: oqTdpbN5rF.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 46 www.iqftomatoes.com 2->46 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 4 other signatures 2->66 11 oqTdpbN5rF.exe 1 2->11         started        signatures3 process4 signatures5 76 Writes to foreign memory regions 11->76 78 Maps a DLL or memory area into another process 11->78 14 RegAsm.exe 11->14         started        17 oqTdpbN5rF.exe 1 11->17         started        19 cmd.exe 1 11->19         started        process6 signatures7 80 Modifies the context of a thread in another process (thread injection) 14->80 82 Maps a DLL or memory area into another process 14->82 84 Sample uses process hollowing technique 14->84 86 Queues an APC in another process (thread injection) 14->86 21 explorer.exe 14->21 injected 88 Writes to foreign memory regions 17->88 25 RegAsm.exe 17->25         started        27 cmd.exe 1 17->27         started        90 Tries to detect virtualization through RDTSC time measurements 19->90 29 conhost.exe 19->29         started        31 choice.exe 1 19->31         started        process8 dnsIp9 48 www.bikininbodymommy.com 81.17.18.197, 49758, 80 PLI-ASCH Switzerland 21->48 50 www.buyiprod.com 104.252.192.7, 49766, 80 EGIHOSTINGUS United States 21->50 52 www.camera-kento.com 21->52 68 System process connects to network (likely due to code injection or exploit) 21->68 33 NETSTAT.EXE 21->33         started        36 cmd.exe 21->36         started        70 Modifies the context of a thread in another process (thread injection) 25->70 72 Maps a DLL or memory area into another process 25->72 74 Sample uses process hollowing technique 25->74 38 conhost.exe 27->38         started        40 choice.exe 1 27->40         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 33->54 56 Maps a DLL or memory area into another process 33->56 58 Tries to detect virtualization through RDTSC time measurements 33->58 42 cmd.exe 1 33->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 07:28:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqtuwat5hpij5qgxwwh7ll3evidomjtgrgk4wxxw275nson4nqzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02c69531b427dfcd3727b5cea0b1bd11463901daa643165d606feb92e138587c
Formbook
091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
Formbook
106f9f66c54be3c20be8f04ce63f5d6183d6eb9e79a6b243b5c820cc01ee24cb
Formbook
12898cbec097104c225702c61e311cc6e12d0f4ac55b95a1eb41a812e6941748
Formbook
4d27c9f76ad56d0acf75219b5074f9d5cb43cd9b394904963352d55adb970368
Formbook
82b0bf0df7b8987197d19071dfda32b037ee3251291b08f6d979749635784e89
Formbook
9266cbea03c00bd09e7bf997dee6635840bc2383a0f60c94a2e03b636ec23c84
Formbook
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
Formbook
e4974ddc809773cd725cfc7070ad545ddf4aa1fc211eb77a1eaae7b7fc1a019c
Formbook
e919d1c10bd867f71a99a7aaa5c52221c4e79341c2389880596a8d1ef9ed5a13
Formbook
+ 2'979 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201120-2qz2dag16j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.thesiromiel.com/kgw/
Unpacked files
SH256 hash:
e71f5c0f23506103e8d979d9aeda9222e7d7bf46893c4a32acb7cc666f975d72
MD5 hash:
0b7a3279970a356c37b6153aa9fe40cb
SHA1 hash:
c92e6f9a383b1f43fcd2360f49b0fc87b927887c
Link:
https://www.unpac.me/results/e3b1dc1a-220b-4b37-b2ce-14e2c3d36bed/
SH256 hash:
b087a4c845235d514eb24a87f9af3c3f4171050906450d2d185e056caa4ba0f6
MD5 hash:
63ba6b8c7406b7c5af6526977517a7bf
SHA1 hash:
704e4e782aa010d23342b5bff350024a355c88d4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e3b1dc1a-220b-4b37-b2ce-14e2c3d36bed/
Parent samples :
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
12898cbec097104c225702c61e311cc6e12d0f4ac55b95a1eb41a812e6941748
c11060e98a1fd5927043effed391b0278f0b5ffcc6a0e1afe63cc9b0831d0c50
04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
f1ca0286fa691166ab71220ee3243bcfa4e73b17247e382edaf6c1590d50d3a2
7a39513f428374b50a41c8d30a1704906270005c4675db03d810f9970fd96bbf
e07c9d7c06c5ebc0b53aba5bb6c35edd07169401a08e016ca68fa5677db00370
df8f7e81b9ccea1324a19fd1356c8fb79ea5623ba4095195f86c29f3816b5f7f
80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982
429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542
e98f391c97abc8da96024452a1792e3eb6c559e2a2fbf5ac930ae3d772d833f5
9dddc8004c534fb2ebb6ad63cd96c11a97d87c87c1fc8eb46a6df36ecc341c18
2fd6b2288864f3a099a32bd923f7b3c67db00c979aa2e46db125e104618e92b7
04e7f27915298f09a1486331df3f0e5121e4a7856f41290f48200255b8b82df8
326090842ee6d692e02ae131a2003658939f60e79bceb7bad983cfe16400062f
623c65639a4364546031c5edb9780ab9cbbe5e6713d09518805dcaded8e425a0
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
dc7d5ba2b99378adec017bb8911f3d2efd3cccf02bd0dc270e3c5ea2f875fc94
8fb9729078316a776fe49e10ae501467bac7d4df61278ca89fb08e1252ddb147
SH256 hash:
04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
MD5 hash:
429bba6dbe159c300679509be3085665
SHA1 hash:
f79f58bc3142b59d0d8669595a01770bdf5486ff
Link:
https://www.unpac.me/results/e3b1dc1a-220b-4b37-b2ce-14e2c3d36bed/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/835919/
  
Delivery method
Distributed via web download

Comments