MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39c27e2a7ec3b5603e184f041bbb07196f6feb885813500fec5ac5fdefca8e1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39c27e2a7ec3b5603e184f041bbb07196f6feb885813500fec5ac5fdefca8e1d
SHA3-384 hash: 8d101afa7fdd11d835269767429234ae2cee64fa096f9bc385a0ef50c82ae5aaa32981f16b2cf54f351b381e1072f9ed
SHA1 hash: 76077f19d2230b7bf89d0bad23eb5e64db307069
MD5 hash: de630bb125976ff343544b5645ea3ea1
humanhash: sink-stairway-lemon-east
File name:de630bb125976ff343544b5645ea3ea1
Download: download sample
Signature Formbook
Create hunting rule
File size:26'624 bytes
First seen:2021-07-22 15:45:55 UTC
Last seen:2021-07-22 17:50:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb4027891a3c2b24db6240a4f60e56ad (3 x Formbook)
ssdeep 768:zo9xN+bR7+twwttnNdymEnWSD+yR7t6lKj:MPwbRMrJEnWzyR7AYj
Threatray 3 similar samples on MalwareBazaar
TLSH T1C4C2E80BB3412BADD505C4F4919D633394F2F4373B5A27AEA7E082633D395E86935670
Reporter zbetcheckin
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://172.245.119.43/d/sharp.exe
Verdict:
No threats detected
Analysis date:
2021-07-22 15:30:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a3b89c1-ed60-4ccb-a3ca-23188aa17c6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173379/
Detection(s):
SecuriteInfo.com.W64.Noon.A.17490.2049.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd5bc8fa-84d1-44d6-b35c-3e038c281568
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820283
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious PowerShell Command Line
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452694 Sample: q6pnkIaviT Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 google.com 2->35 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 12 q6pnkIaviT.exe 1 2->12         started        signatures3 process4 signatures5 71 Obfuscated command line found 12->71 73 Very long command line found 12->73 15 powershell.exe 32 12->15         started        19 conhost.exe 12->19         started        process6 dnsIp7 43 cdn.discordapp.com 162.159.135.233, 443, 49730 CLOUDFLARENETUS United States 15->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->45 47 Writes to foreign memory regions 15->47 49 Injects a PE file into a foreign processes 15->49 21 calc.exe 15->21         started        signatures8 process9 signatures10 59 Modifies the context of a thread in another process (thread injection) 21->59 61 Maps a DLL or memory area into another process 21->61 63 Sample uses process hollowing technique 21->63 65 2 other signatures 21->65 24 explorer.exe 21->24 injected process11 dnsIp12 37 shops.myshopify.com 23.227.38.74, 49768, 80 CLOUDFLARENETUS Canada 24->37 39 www.wabizo.net 24->39 41 2 other IPs or domains 24->41 67 System process connects to network (likely due to code injection or exploit) 24->67 69 Uses netstat to query active network connections and open ports 24->69 28 NETSTAT.EXE 24->28         started        signatures13 process14 signatures15 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 1 28->31         started        process16 process17 33 conhost.exe 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39c27e2a7ec3b5603e184f041bbb07196f6feb885813500fec5ac5fdefca8e1d/
Threat name:
Win64.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 15:46:06 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
4f3129e7343d1dee0695d18f265f88610ec1c04132be5d1888993278daf8920e
Formbook
c81fe7326d72e662a185c7bccb19bd31481ffdf53ef0fb1019027d9d16e5a9d9
Formbook
cae79d8ceb527eb8367b1df9e916718e4329d2768ed0b7e61f7c406af9d21f31
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210722-xfzmr63qq2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.howmucharemyrarecoinsworth.com/jn7g/
Unpacked files
SH256 hash:
39c27e2a7ec3b5603e184f041bbb07196f6feb885813500fec5ac5fdefca8e1d
MD5 hash:
de630bb125976ff343544b5645ea3ea1
SHA1 hash:
76077f19d2230b7bf89d0bad23eb5e64db307069
Link:
https://www.unpac.me/results/a1efc195-6816-4e7c-b3c2-9c3f348f6478/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39c27e2a7ec3b5603e184f041bbb07196f6feb885813500fec5ac5fdefca8e1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 39c27e2a7ec3b5603e184f041bbb07196f6feb885813500fec5ac5fdefca8e1d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1473782/
Cape
Cape
https://www.capesandbox.com/analysis/173379/

Comments


Avatar
zbet commented on 2021-07-22 15:45:56 UTC

url : hxxp://172.245.119.43/d/sharp.exe