MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d53ebef1fc30a9213f181ccb214dbe43703474dd6428fef873a1c439f146223. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs 4 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d53ebef1fc30a9213f181ccb214dbe43703474dd6428fef873a1c439f146223
SHA3-384 hash: a0ce9a8934b69bcc455969fea0c27e82f611cfb329325cf3a668946842b90ed2fdc0a57a0b873f0fe40cb8b647b2a4e8
SHA1 hash: 0e3cacc34f1b47d0ae84bd85dea586358f761cf1
MD5 hash: 719983d025ef6388a12440b184a5dab3
humanhash: autumn-early-skylark-cola
File name:719983d025ef6388a12440b184a5dab3.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:120'832 bytes
First seen:2021-09-23 23:25:59 UTC
Last seen:2021-09-24 00:06:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 47bd1659724c857851ce24d0b21faf34 (4 x RedLineStealer, 1 x Formbook, 1 x RaccoonStealer)
ssdeep 3072:Rnpmm+0MMRRl0XHKxjPXKYg0L4I5wldKeKwV+DCZ:Rn4m+0l03KRP6AQldUvD
Threatray 6'392 similar samples on MalwareBazaar
TLSH T1E4C38D2136E1DC32E3F38A754971C2A09A3FB8732E75858B3A44166E1F716D189E3357
File icon (PE):PE icon
dhash icon 480c3c4c4b590b14 (1 x Formbook, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
http://194.180.174.112/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.112/ https://threatfox.abuse.ch/ioc/225891/
135.181.142.223:30397 https://threatfox.abuse.ch/ioc/226444/
65.21.231.57:60751 https://threatfox.abuse.ch/ioc/226446/
178.132.3.103:80 https://threatfox.abuse.ch/ioc/226445/

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
719983d025ef6388a12440b184a5dab3.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-23 23:29:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a6587480-b17d-493f-83a8-80c35bb37ec6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190913/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.1136.25942.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34bf94d6-16e3-48ad-bdb5-b2754530cdf9
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856962
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Creates processes via WMI
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489393 Sample: xNl2MyPyW7.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 86 ip-api.com 2->86 88 api.ip.sb 2->88 130 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->130 132 Multi AV Scanner detection for dropped file 2->132 134 Multi AV Scanner detection for submitted file 2->134 136 14 other signatures 2->136 11 xNl2MyPyW7.exe 2->11         started        14 chhuthj 2->14         started        16 chhuthj.exe 2->16         started        signatures3 process4 signatures5 162 Detected unpacking (changes PE section rights) 11->162 164 Contains functionality to inject code into remote processes 11->164 166 Injects a PE file into a foreign processes 11->166 18 xNl2MyPyW7.exe 11->18         started        21 chhuthj 14->21         started        process6 signatures7 122 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->122 124 Maps a DLL or memory area into another process 18->124 126 Checks if the current machine is a virtual machine (disk enumeration) 18->126 128 Creates a thread in another existing process (thread injection) 18->128 23 explorer.exe 16 18->23 injected process8 dnsIp9 90 193.56.146.41, 49776, 9080 LVLT-10753US unknown 23->90 92 216.128.137.31, 80 AS-CHOOPAUS United States 23->92 94 3 other IPs or domains 23->94 66 C:\Users\user\AppData\Roaming\chhuthj, PE32 23->66 dropped 68 C:\Users\user\AppData\Local\Temp\450B.exe, PE32 23->68 dropped 70 C:\Users\user\AppData\Local\Temp\3924.exe, PE32 23->70 dropped 72 6 other files (5 malicious) 23->72 dropped 154 System process connects to network (likely due to code injection or exploit) 23->154 156 Benign windows process drops PE files 23->156 158 Deletes itself after installation 23->158 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->160 28 130B.exe 4 23->28         started        31 2184.exe 23->31         started        35 3318.exe 23->35         started        37 6 other processes 23->37 file10 signatures11 process12 dnsIp13 74 C:\ProgramData\installzgd.exe, PE32 28->74 dropped 76 C:\ProgramData\grfdg.exe, PE32 28->76 dropped 39 grfdg.exe 28->39         started        43 installzgd.exe 3 28->43         started        96 194.180.174.112, 49812, 80 MIVOCLOUDMD unknown 31->96 98 t.me 149.154.167.99, 443, 49810 TELEGRAMRU United Kingdom 31->98 78 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->78 dropped 80 C:\Users\user\AppData\...\ucrtbase.dll, PE32 31->80 dropped 82 C:\Users\user\AppData\...\softokn3.dll, PE32 31->82 dropped 84 56 other files (none is malicious) 31->84 dropped 104 Detected unpacking (changes PE section rights) 31->104 106 Detected unpacking (overwrites its own PE header) 31->106 108 Tries to steal Mail credentials (via file access) 31->108 110 Tries to harvest and steal browser information (history, passwords, etc) 31->110 112 Injects a PE file into a foreign processes 35->112 45 3318.exe 35->45         started        114 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 37->114 116 Writes to foreign memory regions 37->116 118 Allocates memory in foreign processes 37->118 120 Tries to evade analysis by execution special instruction which cause usermode exception 37->120 47 RegSvcs.exe 3 37->47         started        50 3924.exe 2 37->50         started        52 conhost.exe 37->52         started        54 2 other processes 37->54 file14 signatures15 process16 dnsIp17 60 C:\Users\user\AppData\Roaming\chhuthj.exe, PE32 39->60 dropped 62 C:\ProgramData\installzgd\installzgd.exe, PE32 39->62 dropped 64 C:\ProgramData\grfdg\installzgd.exe, PE32 39->64 dropped 138 Multi AV Scanner detection for dropped file 39->138 140 Machine Learning detection for dropped file 39->140 142 Creates multiple autostart registry keys 39->142 144 Creates processes via WMI 39->144 56 conhost.exe 43->56         started        146 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->146 148 Maps a DLL or memory area into another process 45->148 150 Checks if the current machine is a virtual machine (disk enumeration) 45->150 152 Creates a thread in another existing process (thread injection) 45->152 100 185.230.143.48, 14462, 49821 HostingvpsvilleruRU Russian Federation 47->100 58 conhost.exe 47->58         started        102 135.181.142.223, 30397, 49817 HETZNER-ASDE Germany 50->102 file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d53ebef1fc30a9213f181ccb214dbe43703474dd6428fef873a1c439f146223/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 23:26:05 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvj6x3y7ymfjee7rqhglefg34q3qgr2n2zbi734hhioehhyumirq._file
Verdict:
malicious
Similar samples:
2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539
Formbook
3c2e9b1a771dee5ace5a9228f516695d486f274e82341da3666ab62a50473cca
Formbook
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
Formbook
4ce736beca7ebfdae1fca1c504ef9482ada58dbf573fd57434aef6de2b36c9d6
Formbook
6232bd70528f163b7aa8e8d76f6c4e63a0660eb112eabf2cc1859cc9e83ca755
Formbook
73d3930011ac4fb1ac1ec5b4d339c001a9892c152fbc8be47b81d8ff559018ca
Formbook
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
Formbook
9664922ce8e322f3e2902a458b8a00f19515d2cd9c5802482e4e2d40fce8b861
Formbook
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
Formbook
fe7e25d0fd410494f9d8299439faf7d89edb627b494c882d2b33c94625c7c35c
Formbook
+ 6'382 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:@rarenut0 botnet:qq backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210923-3eve8sfchp/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://hamilaharr6.top/
http://bartanayane7.top/
http://zesiahavie8.top/
http://hancarlenei9.top/
http://samillavakiv10.top/
http://feryleromand11.top/
http://ubrianella12.top/
http://hepryceeaaa13.top/
http://viahalexandy14.top/
http://wenataliana15.top/
135.181.142.223:30397
185.230.143.48:14462
Unpacked files
SH256 hash:
14cd529ab1a67eeed2fdf0fe71a08b9dc8ecf61384072f676b4ff9ec3ef8fe74
MD5 hash:
125ecb7456bb5a2c5c724c2eca56f87e
SHA1 hash:
982aaa66cda8c0500e0811aa9e447cba4f0752ff
Link:
https://www.unpac.me/results/4f9f4ea8-b382-4f83-b3cf-86624ee3b21e/
SH256 hash:
1d53ebef1fc30a9213f181ccb214dbe43703474dd6428fef873a1c439f146223
MD5 hash:
719983d025ef6388a12440b184a5dab3
SHA1 hash:
0e3cacc34f1b47d0ae84bd85dea586358f761cf1
Link:
https://www.unpac.me/results/4f9f4ea8-b382-4f83-b3cf-86624ee3b21e/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1d53ebef1fc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d53ebef1fc30a9213f181ccb214dbe43703474dd6428fef873a1c439f146223

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1d53ebef1fc30a9213f181ccb214dbe43703474dd6428fef873a1c439f146223

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190913/

Comments