MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07f112fbe5d3677503d19457331c28fdbf1a82e2268a80b6753e483ccce3722d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07f112fbe5d3677503d19457331c28fdbf1a82e2268a80b6753e483ccce3722d
SHA3-384 hash: 4e2e78e26241a1228a0648f31c5aca041af080f887977525f3fc462e439a2929c08bd793a82e83433a99dcba45699d60
SHA1 hash: 873903d57784c755d217b9ebbdfe6afcafce1ade
MD5 hash: f32b3e5362033d40b53209a6d3b0e3d7
humanhash: eight-venus-hotel-freddie
File name:KYHIM47W.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:679'424 bytes
First seen:2021-04-19 08:57:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Yk8vntpm0We8kCsZBBepx6FZ+UdyYCza6PG1CpDUG2uvaBdAkzRRRRRVnF:mvntIe8kLBBeb6FZh2zXCUoGRvaNRRRD
Threatray 4'547 similar samples on MalwareBazaar
TLSH F9E4E0295F884EDBD75E08BD44E2623553B7C656B287F7C88F8260F90D8A700ADD8397
Reporter cocaman
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KYHIM47W.EXE
Verdict:
Malicious activity
Analysis date:
2021-04-19 08:58:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e99d2079-d60e-480a-b9ec-05f1ef30b377

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/138341/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/686485
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 392191 Sample: KYHIM47W.EXE Startdate: 19/04/2021 Architecture: WINDOWS Score: 100 33 www.logittechg.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 11 KYHIM47W.EXE 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\KYHIM47W.EXE.log, ASCII 11->31 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 15 KYHIM47W.EXE 11->15         started        18 KYHIM47W.EXE 11->18         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 20 explorer.exe 15->20 injected process9 dnsIp10 35 www.wonderwithin.co 185.211.7.250, 49752, 80 QUICKPACKETUS Germany 20->35 37 www.grammypay.com 20->37 39 2 other IPs or domains 20->39 49 System process connects to network (likely due to code injection or exploit) 20->49 24 help.exe 20->24         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53 55 Tries to detect virtualization through RDTSC time measurements 24->55 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07f112fbe5d3677503d19457331c28fdbf1a82e2268a80b6753e483ccce3722d/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7yrf67f2ntxka6rsrltghbi7w7rvaxce2fibntvhzedzthdoiwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
290963ddb0862d90575e418931ac2cfacfbb79146f5846771e81046298bf75e8
Formbook
53e1c28059f751b2b8ba98d5c6adcf3e028f3d2953d5355d452dfd30f0830af0
Formbook
5d5d38241fa7a6b854b75c5a73944b6ee1cbe4a8a2865897d9c36b10158c90be
Formbook
7f6694752a3e50d4f811fb5c807f305ba5c4b422c3fa10468132575c6c2505b6
Formbook
80eae8d63facb880887f4f54f862128e8d28e2a706ad0f9bad806e9b98fa7e3e
Formbook
91a4088de46853519f714462e98f3f8abd09ca5c71903639083cc3e1036a8406
Formbook
957c5b5a6f0af47354f9ed2d09522fc671b8c0af06e3f3a5b6354e111b2c8129
Formbook
a2a17c9009ccab88bdfc20c958b900a5f1fdb2cd67d54ea265e902e9c3e0383e
Formbook
c1bcc9edb69c75aa2e1052ef728392ca9a922a23888a4be835e0bc4dbd150752
Formbook
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
Formbook
+ 4'537 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210419-qzy56kvhxj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sevenwhale.com/sdh/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07f112fbe5d3677503d19457331c28fdbf1a82e2268a80b6753e483ccce3722d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 6d484397e9e3756569b411c995ea15aa523075f7b31172a956999ffe8c7c2d11

Formbook

Executable exe 07f112fbe5d3677503d19457331c28fdbf1a82e2268a80b6753e483ccce3722d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6d484397e9e3756569b411c995ea15aa523075f7b31172a956999ffe8c7c2d11
Cape
Cape
https://www.capesandbox.com/analysis/138341/

Comments