MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a2fe4b7d0c23f0ea83a75f458660dfd486d336716609bda19c82a05730ff4d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a2fe4b7d0c23f0ea83a75f458660dfd486d336716609bda19c82a05730ff4d3
SHA3-384 hash: 6ecbf035957ef62a33359cbf6dc31ee4c7d7ab514ae53b68885e48e0b9adbcd723b7eab2815ea9120bbf959bb4cddfe4
SHA1 hash: 542d5ca059dd37149f2cc1d6b1d542d23322e3cb
MD5 hash: 9997eda265763d63b86112f4225b5a9b
humanhash: golf-texas-fish-orange
File name:SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'111'040 bytes
First seen:2020-12-21 06:36:24 UTC
Last seen:2020-12-21 14:12:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:1frs7QJ6v1PTlHc6HZmba4vZ4qOYdvF4ugrWJMgBhKblDqPeyCWslmy/jT+D9:1frs22xlHse4x8YpiuQW3
Threatray 1'889 similar samples on MalwareBazaar
TLSH 2135BE243AEA501DF273AF755BE47192DAAFF7733B07E45E1090038A4713A81DE92639
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
Malicious activity
Analysis date:
2020-12-21 06:38:04 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/a872a7f9-fd60-4a2c-a6b1-84148eddd5b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108648/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35798368.6223.2630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567151
Signature
.NET source code contains very large strings
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332657 Sample: SOA.exe Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 SOA.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 SOA.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 yogacomsolutions.site 139.162.30.170, 49755, 80 LINODE-APLinodeLLCUS Netherlands 17->30 32 www.ladoctoracorazon.net 104.31.78.89, 49751, 80 CLOUDFLARENETUS United States 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 explorer.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0a2fe4b7d0c23f0ea83a75f458660dfd486d336716609bda19c82a05730ff4d3/
Threat name:
ByteCode-MSIL.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2020-12-20 23:06:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bix6jn6qyi7q5kb2ox2fqzqn7veg2m3hczqjxwqzzavak4yp6tjq._file
Verdict:
suspicious
Similar samples:
1237b8ef1ef28e7481b47113c644429a68c87858cc5ee8a020607f75696863d1
Formbook
1414f24264a3c0579250f74acdbb4ffffc79cf787221704b80cdab5829212bff
Formbook
2de8befd5512337e4e9c723289d086b229345708d167936e1212bcf8641f193a
Formbook
4661da61c0b3120e6e6487dd9b3ebc8a6725608547bfc8bcc9bd9f2e0b777121
Formbook
532b875f09991cdf7b57db59f0f7aa579d49b229d65ad1ace9f67bf6ffc7bca5
Formbook
a46ba41ed485d6f17d3da30e84f784ef419206d2378bc127c7095e7bbb2c1de6
Formbook
a5ce2ebab407749927a5056f7d432f5936675ec94e166e67bf0ea254a63e1abb
Formbook
a7120c8022437adb5629ea851c83f9efd6e57d9f5598f735e66fc11381fd707d
Formbook
a78982f275b83bfca636dca08c404c5952fbf86cba13813fb6d5e2f12ff60986
Formbook
c4b216f8933c36d4ac90ab772e7b5ec375e87e009c3d45022e953870feb320c2
Formbook
+ 1'879 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201221-rkv6vanyds/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.danneroll.com/mnc/
Unpacked files
SH256 hash:
0a2fe4b7d0c23f0ea83a75f458660dfd486d336716609bda19c82a05730ff4d3
MD5 hash:
9997eda265763d63b86112f4225b5a9b
SHA1 hash:
542d5ca059dd37149f2cc1d6b1d542d23322e3cb
Link:
https://www.unpac.me/results/2b719280-5ba5-4445-9850-d5b2915cd07d/
SH256 hash:
e3a1946bdf82bf6aabbd4681df57f07f5cdd91255d9278190da9f05efe7521f8
MD5 hash:
7db19dfa2827bdeb9f3403ec8006ae9d
SHA1 hash:
0e66609502ed1a8ea5d8405c5b2500036eeac1ed
Link:
https://www.unpac.me/results/2b719280-5ba5-4445-9850-d5b2915cd07d/
SH256 hash:
63a681a5739224e2a8d2184aee0f2672d57a99b920dbd40de6decb78b961b588
MD5 hash:
fc6398e3e937efd3ec3b835312111b12
SHA1 hash:
1df5edc9d3e24de6032d3569db24c58f79f65476
Link:
https://www.unpac.me/results/2b719280-5ba5-4445-9850-d5b2915cd07d/
SH256 hash:
57b08ef43293b7abeb6135eeaf1e9a5d6cc0ae014cf0372549f1a4c5f88f188c
MD5 hash:
1daaa3d6cf06b56c1b7b6ce1820eedba
SHA1 hash:
3291663ac881963611ca84e2ed9b86e0cdd87e7f
Link:
https://www.unpac.me/results/2b719280-5ba5-4445-9850-d5b2915cd07d/
SH256 hash:
76239076207b78fdfd629be2b5c418022172793776675c882f5190db54466d5f
MD5 hash:
2e1683c0bf7883418c50740fd8146390
SHA1 hash:
9ef2be61c4b795dd1bbc1377b68068e347295640
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2b719280-5ba5-4445-9850-d5b2915cd07d/
Parent samples :
95deccdc9ef87962793e87e162d62c1d07c56dbae3b964d93e79c190f38183f7
49e40687ad1ffb7ba491d92cd38333d3e96c134ba7739dcdd3e8ee2ea1b19506
0a2fe4b7d0c23f0ea83a75f458660dfd486d336716609bda19c82a05730ff4d3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a2fe4b7d0c23f0ea83a75f458660dfd486d336716609bda19c82a05730ff4d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c400849ab6d0f4ff5dfaa96c9b6ad6e23a5b6d5411b9f04b982410e872b8817d

Formbook

Executable exe 0a2fe4b7d0c23f0ea83a75f458660dfd486d336716609bda19c82a05730ff4d3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c400849ab6d0f4ff5dfaa96c9b6ad6e23a5b6d5411b9f04b982410e872b8817d
Cape
Cape
https://www.capesandbox.com/analysis/108648/

Comments