MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a08e1464585333f5b4cb67d2150a488119fa971a878ad87c277197dbb453b93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a08e1464585333f5b4cb67d2150a488119fa971a878ad87c277197dbb453b93
SHA3-384 hash: b3442e987074bfcfd26180aa5a595f93a1c9fc76882574b38aac0266239cf6748ef202eadd13e56b625314f10ab06b2b
SHA1 hash: e97c2bcedeec4a255e4dc3a2727c0702b368293c
MD5 hash: 52352e2a92e0f413f7d97051580823c9
humanhash: jersey-maine-paris-may
File name:52352e2a92e0f413f7d97051580823c9
Download: download sample
Signature Formbook
Create hunting rule
File size:769'536 bytes
First seen:2022-03-29 09:01:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Ek1OnaiJYCanaBF+hHKKiBDbljZC7UsxKlQJU/7Xv0i9/sZtAeuvaZqdHHgjjkEN:OHHgjjkEve8MPSZCk5p
Threatray 14'653 similar samples on MalwareBazaar
TLSH T1E9F4C4ADF2F076EFC857D0728EA81C68BA5175AB531F4103A02715ADDA1C987CF14AB3
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/259094/
Detection(s):
SecuriteInfo.com.Variant.Barys.53924.14394.12788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6242cb0f9253b276b799da86/reports/3e840489-aff2-4f7b-a086-d400192d04b7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8dcdd6e5-98ee-464e-a33a-47b67a69afc3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966584
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 599073 Sample: tKnLiYThGw Startdate: 29/03/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 12 other signatures 2->50 10 tKnLiYThGw.exe 6 2->10         started        process3 file4 38 C:\Users\user\AppData\Roaming\fkATqic.exe, PE32 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmp8155.tmp, XML 10->40 dropped 42 C:\Users\user\AppData\...\tKnLiYThGw.exe.log, ASCII 10->42 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 10->60 62 Tries to detect virtualization through RDTSC time measurements 10->62 64 Injects a PE file into a foreign processes 10->64 66 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->66 14 tKnLiYThGw.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 19 explorer.exe 14->19 injected 21 conhost.exe 17->21         started        process8 process9 23 svchost.exe 17 19->23         started        27 autoconv.exe 19->27         started        file10 34 C:\Users\user\AppData\...\279logrv.ini, data 23->34 dropped 36 C:\Users\user\AppData\...\279logri.ini, data 23->36 dropped 52 Detected FormBook malware 23->52 54 Tries to steal Mail credentials (via file / registry access) 23->54 56 Tries to harvest and steal browser information (history, passwords, etc) 23->56 58 Tries to detect virtualization through RDTSC time measurements 23->58 29 cmd.exe 2 23->29         started        signatures11 process12 signatures13 68 Tries to harvest and steal browser information (history, passwords, etc) 29->68 32 conhost.exe 29->32         started        process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0a08e1464585333f5b4cb67d2150a488119fa971a878ad87c277197dbb453b93/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 05:50:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
198a4a7609ba35046466d687d1c79c8ff4dcb0818ab256b1715a3677d23eba9c
Formbook
33a3c033ee1670aa88bd3853922c8ad9307c7700c36fa231414f5c96b5937546
Formbook
54cfa1f93d985c0bf952e00247f781f36988dffec0cb8d83f79fa3e41d98b335
Formbook
6b9529ef9582e73d4ac7bc63d46bd152a1bc894ce781308b8798ea9689312e60
Formbook
a14a184fb1d2aae9c388576180020ee018e0784212b59e545c15afce21eeb6cd
Formbook
c0f665918f4ea75327960ddf58cf37e415a6bf6569a4c22aa6291fbac9d171ce
Formbook
fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a
Formbook
+ 14'643 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:h93d rat spyware stealer trojan
Link:
https://tria.ge/reports/220329-kze7yachf5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
Unpacked files
SH256 hash:
7f1eefe3f24dff5aae854eb5de24ca7197f46cd5507bc1ab8e02da794945077e
MD5 hash:
6002f383ba679d54d003716f85888ed5
SHA1 hash:
39bed17fb31ed4499d6d7e13f63c04fe93b63ebd
Link:
https://www.unpac.me/results/7cf760eb-2c8d-46c1-b4d5-244c6d273fed/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/7cf760eb-2c8d-46c1-b4d5-244c6d273fed/
SH256 hash:
b7dc43c8a5d419e89ea34eeda251afdd03d76b435348e758938e5a5cbe61e672
MD5 hash:
977efb6a5f2f7a975cf6c90d8c7d7015
SHA1 hash:
d88b43cb3df259abf83bf77595c3778b93fdf24f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7cf760eb-2c8d-46c1-b4d5-244c6d273fed/
Parent samples :
0a08e1464585333f5b4cb67d2150a488119fa971a878ad87c277197dbb453b93
7a112f3fc7b4a8fdd9a8a576553b5a96098b6373e2c22ec9646bf7a472d9d3be
SH256 hash:
0a08e1464585333f5b4cb67d2150a488119fa971a878ad87c277197dbb453b93
MD5 hash:
52352e2a92e0f413f7d97051580823c9
SHA1 hash:
e97c2bcedeec4a255e4dc3a2727c0702b368293c
Link:
https://www.unpac.me/results/7cf760eb-2c8d-46c1-b4d5-244c6d273fed/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0a08e1464585/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/0a08e1464585333f5b4cb67d2150a488119fa971a878ad87c277197dbb453b93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 0a08e1464585333f5b4cb67d2150a488119fa971a878ad87c277197dbb453b93

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2118592/
Cape
Cape
https://www.capesandbox.com/analysis/259094/

Comments


Avatar
zbet commented on 2022-03-29 09:01:33 UTC

url : hxxp://103.125.190.201/__oncloud/csrss.exe