MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a89e078209cfee253f663972680a9e8ce5f811a1c3e212ca146dd1fe7806820. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	0a89e078209cfee253f663972680a9e8ce5f811a1c3e212ca146dd1fe7806820
SHA3-384 hash:	ebdabfd37d2360bfd35226ddfa52a03c59f9dac3c3c2506ded011ae1e7a5750505a6814bbc1ba0c779f1e6a2f11f8991
SHA1 hash:	047ae912e0724e1e699fab68c489992d33ba5200
MD5 hash:	7774092dfcbef62e413c06500e490ceb
humanhash:	robin-queen-charlie-artist
File name:	FATURA.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'353'275 bytes
First seen:	2022-09-28 07:19:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:iAOcZXp0+fa/T94uw0AeHEo0aqbU3gUkjPV99npuezy71oporah32:o6fa/R4rfevWUkj9fZe6Gn
Threatray	16'318 similar samples on MalwareBazaar
TLSH	T18B551243F6D128B2E4721931472267319EBD7C201E65AF5FA3D41EADAF31580A624FB3
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	80a4a6a6a6a68081 (11 x Formbook)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/314255/

Detection(s):

Win.Dropper.NetWire-9970213-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Creating a process from a recently created file

Creating a file

Adding an access-denied ACE

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Forced shutdown of a system process

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39669/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

formbook greyware nanocore netwire overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/6333f5a6d089a0c15dd2871d/reports/37992f9f-49f4-442d-adff-6850454fcc00/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b8def1ba-4663-4629-b153-280a65c73391

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1079038

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0a89e078209cfee253f663972680a9e8ce5f811a1c3e212ca146dd1fe7806820/

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2022-09-21 17:29:07 UTC

File Type:

PE (Exe)

Extracted files:

386

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bke6a6batt7oeu7wmolsnafj5dhf7ai2dq7cclfbi3or7z4anaqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4

Formbook

5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9

Formbook

a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d

Formbook

a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32

Formbook

aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750

Formbook

b3a3645cf2d804bebd0d8049b70c95ae545ff06ca2acc9f85721a1d1f3c9b5b8

Formbook

b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c

Formbook

f163f4788da0d445dec687df7d215b6af3c4bea10589fa268e6aff20ff335510

Formbook

+ 16'308 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:oy10 rat spyware stealer trojan

Link:

https://tria.ge/reports/220928-h55cxagdem/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0f287b78-e154-4579-b736-ade8cc5bacd7

Unpacked files

SH256 hash:

698621c5bd32e84675eedcc2466ddc04cb62ecac17bdb186152ee11e1adc71ab

MD5 hash:

ad15bb401a09b2c9b1eea799f7bf5d3b

SHA1 hash:

409e7d67e90d2c1913dcb9317f784e907c86c6f4

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/98f1e272-6940-42ed-9a73-46a2ad02cbf9/

Parent samples :

02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105
0a89e078209cfee253f663972680a9e8ce5f811a1c3e212ca146dd1fe7806820
35dca540318f9e0fdc12b54f0e0a588fef8047bea5c7163db9e3e7bd6975f929
b967fa620a94b3669bae343ebf01c1150e5600d1b5967babc9bed153da762aad
8020c7ae73996b075960572036622d75a045e4979f165006a1db2e98ca561ce2
2b5e0eaa1ba6de90bb95dfb7a374b9a8f7052b109e670b900f4b0e3cc5a2896c
e4e94b44c9e470fb07a711c6cbf24730978c388cedc47a538a158126f9d1878f
f85c784976136a164863c0c50f9f2dd97c738b43efabd21f333ed8cf6d8edba4
4be0a5b71383128f03a11f9f39ecb9d32ed7e3c2f3f6fc5c6a0300dbecdb29d9
ae7bed4f2ca7d2e00ce5fd9138eed815e9a7ceaf971a0c731364ea9ac28eded2
dd5c4fcf7c4737619d62e6fc138247422d1866a04899f2fe242d372c3c2e9332

SH256 hash:

517e1d62c70bf9177341033dd246a3a4544167a947671098fdea677e219dd959

MD5 hash:

46fcf89c49e97c4ccd07f435a2663213

SHA1 hash:

d64b2b2f17d0645e1aaf95382ce073a0f6637565

Link:

https://www.unpac.me/results/98f1e272-6940-42ed-9a73-46a2ad02cbf9/

SH256 hash:

0a89e078209cfee253f663972680a9e8ce5f811a1c3e212ca146dd1fe7806820

MD5 hash:

7774092dfcbef62e413c06500e490ceb

SHA1 hash:

047ae912e0724e1e699fab68c489992d33ba5200

Link:

https://www.unpac.me/results/98f1e272-6940-42ed-9a73-46a2ad02cbf9/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0a89e078209c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a89e078209cfee253f663972680a9e8ce5f811a1c3e212ca146dd1fe7806820

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest7 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 0a89e078209cfee253f663972680a9e8ce5f811a1c3e212ca146dd1fe7806820

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/314255/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample