MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24a67748af038fb71279d9494318557036d86026598cdaa8822229221b5eac85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24a67748af038fb71279d9494318557036d86026598cdaa8822229221b5eac85
SHA3-384 hash: Calculating hash
SHA1 hash: Calculating hash
MD5 hash: 6243123ab66782fe15a75e0a626020db
humanhash: Calculating hash
File name:cz7zRfrSCw0uHOt.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'147'904 bytes
First seen:2021-12-17 03:22:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash Calculating imphash
ssdeep Calculating ssdeep hash
Threatray 12'268 similar samples on MalwareBazaar
TLSH Calculating TLSH
telfhash Calculating telfhash
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214712/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61bc02ab8541392eb4eb8b43/reports/8171ad44-64d4-4891-936f-9303f6b812fb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db7f2361-5e64-4c04-91eb-badc716bab71
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908887
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Powershell Defender Exclusion
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 541365 Sample: cz7zRfrSCw0uHOt.exe Startdate: 17/12/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 8 other signatures 2->46 10 cz7zRfrSCw0uHOt.exe 4 2->10         started        process3 file4 32 C:\Users\user\...\cz7zRfrSCw0uHOt.exe.log, ASCII 10->32 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->58 60 Adds a directory exclusion to Windows Defender 10->60 62 Tries to detect virtualization through RDTSC time measurements 10->62 64 Injects a PE file into a foreign processes 10->64 14 cz7zRfrSCw0uHOt.exe 10->14         started        17 powershell.exe 20 10->17         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 34 heavenlyhighcreations.com 173.201.186.8, 49794, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->34 36 www.regenerativepatients.com 19->36 38 2 other IPs or domains 19->38 48 System process connects to network (likely due to code injection or exploit) 19->48 25 cscript.exe 19->25         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 25->50 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Gathering data
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=esthosfpaoh3oetz3feuggcvoa3nqybglggnvkeceiuseg26vscq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
30c4d8cc68cc16af698b521cf9e31a8540f0c5cce8e2d66e874fc62a87dae393
Formbook
3bc25439a27fa2e9385f42bfc9b9a6caa56dc076ccc07fd2aa4684c0292c9622
Formbook
4cc5a0fb10d6235a197da2d08df9af6afae59ceaffb0c7054cfb087eb5c039b6
Formbook
6810f77478c037f70109dfb99877a6dd3bd80496ee7cc304027f2803a2209ab5
Formbook
83708560ecc442b5b6dadbdf5af39ae4f1e843664c932a9de3eff1e38bf6d4a5
Formbook
8d0f3056715cf96af14714339ef1bc6fef37da86983bd0ba175e098eb0c2be8b
Formbook
90f9e8094fe8847f4b4521afafd5c5e59d4368ddc26a4f589730cd998520fd50
Formbook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Formbook
c781169f80930851f2174df529d1aaba061c45fd7ef90c5059a7c513bfda3414
Formbook
e2682ee08233df5afc90d9295165ffed0373e4f34278d99d5a30622c2577639b
Formbook
+ 12'258 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ruje evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/211217-dxm2fadba8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Unpacked files
SH256 hash:
46335ee824965f30ec8ee2d94a06aeb16780bacb4494bad9615107471bc10f64
MD5 hash:
6259b74d509ea12190861138209258d2
SHA1 hash:
8632ea07340fa03c77b1a38a55da1ac41dfc4898
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d8cb09f-7ec0-44fe-9295-47c7d9557d99/
Parent samples :
5a8d5ae67ced20c08bcdfb390c7424db82ee389b96303fe2e1f3e7e183da3166
83f231a4e196b10089d16db819c71bfc5cc543fb55ea5ea63aee2d1285ff3dc3
24a67748af038fb71279d9494318557036d86026598cdaa8822229221b5eac85
SH256 hash:
42f44aedd8eedebd456ccc7c463973b35f17947385d6303c266d6daa35767c1a
MD5 hash:
511561ca369e2fd5e2fbde5ccac33880
SHA1 hash:
181428e1dbbb5ca79f1f33ee5ba0f5d8c8cec300
Link:
https://www.unpac.me/results/4d8cb09f-7ec0-44fe-9295-47c7d9557d99/
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/4d8cb09f-7ec0-44fe-9295-47c7d9557d99/
SH256 hash:
24a67748af038fb71279d9494318557036d86026598cdaa8822229221b5eac85
MD5 hash:
6243123ab66782fe15a75e0a626020db
SHA1 hash:
c0625aa6128a2cfef1ecf224aa18255da7a353ee
Link:
https://www.unpac.me/results/4d8cb09f-7ec0-44fe-9295-47c7d9557d99/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/24a67748af03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 24a67748af038fb71279d9494318557036d86026598cdaa8822229221b5eac85

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/214712/

Comments