MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542
SHA3-384 hash: bd8ca361c9b48cb2dba635df7079e01b23d27534b1da9c348c9865091ecf3d1a2ba5bed8140c76b27fd099a1ad1f203a
SHA1 hash: 45fc7e10195494a754c7769572ea40fc658bacab
MD5 hash: 07be052866fc5a9af1d0c38b21cd7f0a
humanhash: angel-three-social-sink
File name:07be052866fc5a9af1d0c38b21cd7f0a.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'333'635 bytes
First seen:2020-12-21 07:54:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 24576:Z5xolYQY6R4IODQatxQsj0rR7tMT2U45gedfn:cYuibWrR5i2fn
Threatray 5'772 similar samples on MalwareBazaar
TLSH 4B55AF257AE9601DF173AFB14AE471D6EA6EBA732B02D85F119003464533A43F9E123F
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7dee0e986468c526a69e0afabe61cca.xlsx
Verdict:
Malicious activity
Analysis date:
2020-12-21 05:15:43 UTC
Tags:
encrypted trojan exploit CVE-2017-11882 loader formbook stealer
Link:
https://app.any.run/tasks/2272ea4f-031e-44b5-bc01-42361757623f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Sending a UDP request
Unauthorized injection to a recently created process
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567249
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332706 Sample: zJXDkalK64.exe Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 73 www.shopcryptocurrency247.com 2->73 75 www.riellymoore.com 2->75 77 4 other IPs or domains 2->77 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for dropped file 2->107 109 14 other signatures 2->109 12 zJXDkalK64.exe 1 4 2->12         started        signatures3 process4 file5 65 C:\Users\user\Desktop\zjxdkalk64.exe, PE32 12->65 dropped 67 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->67 dropped 121 Installs a global keyboard hook 12->121 16 icsys.icn.exe 3 12->16         started        21 zjxdkalk64.exe 3 12->21         started        signatures6 process7 dnsIp8 71 192.168.2.1 unknown unknown 16->71 59 C:\Windows\System\explorer.exe, PE32 16->59 dropped 93 Antivirus detection for dropped file 16->93 95 Machine Learning detection for dropped file 16->95 97 Drops executables to the windows directory (C:\Windows) and starts them 16->97 101 2 other signatures 16->101 23 explorer.exe 3 17 16->23         started        99 Injects a PE file into a foreign processes 21->99 file9 signatures10 process11 dnsIp12 79 vccmd03.googlecode.com 23->79 81 vccmd02.googlecode.com 23->81 83 4 other IPs or domains 23->83 61 C:\Windows\System\spoolsv.exe, PE32 23->61 dropped 63 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 23->63 dropped 113 Antivirus detection for dropped file 23->113 115 System process connects to network (likely due to code injection or exploit) 23->115 117 Creates an undocumented autostart registry key 23->117 119 3 other signatures 23->119 28 spoolsv.exe 2 23->28         started        file13 signatures14 process15 file16 69 C:\Windows\System\svchost.exe, PE32 28->69 dropped 123 Antivirus detection for dropped file 28->123 125 Machine Learning detection for dropped file 28->125 127 Drops executables to the windows directory (C:\Windows) and starts them 28->127 129 2 other signatures 28->129 32 svchost.exe 4 3 28->32         started        signatures17 process18 file19 57 C:\Users\user\AppData\Local\stsys.exe, PE32 32->57 dropped 85 Antivirus detection for dropped file 32->85 87 Machine Learning detection for dropped file 32->87 89 Drops executables to the windows directory (C:\Windows) and starts them 32->89 91 Installs a global keyboard hook 32->91 36 spoolsv.exe 1 32->36         started        39 at.exe 32->39         started        41 at.exe 32->41         started        43 14 other processes 32->43 signatures20 process21 signatures22 111 Installs a global keyboard hook 36->111 45 conhost.exe 39->45         started        47 conhost.exe 41->47         started        49 conhost.exe 43->49         started        51 conhost.exe 43->51         started        53 conhost.exe 43->53         started        55 10 other processes 43->55 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 07:55:07 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ikoma3xpummccql5hnhw5rngti2ske6xhfezv4wg5g6ohhlnavba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
avemaria
Create hunting rule
Similar samples:
04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
Formbook
0d5af6ad459d48db0b27ab6ab4584191097bfc33c4f2475ce1b3a66e523e2bef
Formbook
12898cbec097104c225702c61e311cc6e12d0f4ac55b95a1eb41a812e6941748
Formbook
7a39513f428374b50a41c8d30a1704906270005c4675db03d810f9970fd96bbf
Formbook
80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982
Formbook
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
Formbook
df8f7e81b9ccea1324a19fd1356c8fb79ea5623ba4095195f86c29f3816b5f7f
Formbook
e07c9d7c06c5ebc0b53aba5bb6c35edd07169401a08e016ca68fa5677db00370
Formbook
f1ca0286fa691166ab71220ee3243bcfa4e73b17247e382edaf6c1590d50d3a2
Formbook
fd9f113a78e94fc975ba4e5e940c91395e63b5ea904e7690fbad9f569b6da1b8
Formbook
+ 5'762 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xmrig evasion miner persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201221-mtdb8jdp4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Looks for VMWare Tools registry key
Modifies Installed Components in the registry
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
xmrig
Malware Config
C2 Extraction:
http://www.thesiromiel.com/kgw/
Unpacked files
SH256 hash:
429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542
MD5 hash:
07be052866fc5a9af1d0c38b21cd7f0a
SHA1 hash:
45fc7e10195494a754c7769572ea40fc658bacab
Link:
https://www.unpac.me/results/6965ed7b-6379-4fe3-8586-0a56e35c6010/
SH256 hash:
89d24e0180be9cf8adcd1bd25c897c5e3bf52675633dc34d04b72f92cc036d66
MD5 hash:
6d0fce0eff0d8b6169ad8f8a6878a933
SHA1 hash:
5f9a0eff3207ae4171518098fe0bbb8dcbb4cf6f
Link:
https://www.unpac.me/results/6965ed7b-6379-4fe3-8586-0a56e35c6010/
SH256 hash:
1c62f975ba3353f56b0cd96e24be75249dfec8184c9b1e5634d6f7008028f1a0
MD5 hash:
3a1e6dd110292b49268ded3581588b6f
SHA1 hash:
c8efed119ebd340d011636e43b0342b99df8793c
Link:
https://www.unpac.me/results/6965ed7b-6379-4fe3-8586-0a56e35c6010/
SH256 hash:
489f959338dbbb07dfb956d84cd8f468c47db61e84cac3aa2a9ab8234ec4bb06
MD5 hash:
d28e4c45d25b5962271fcd2df15a98c1
SHA1 hash:
f3166c799e05db8e2ece3bdf57dce4851a4c972a
Link:
https://www.unpac.me/results/6965ed7b-6379-4fe3-8586-0a56e35c6010/
SH256 hash:
aad915b772d0bcdbabe6fe0fd3c1a84e0981fc534696240e50641222fa8b24ca
MD5 hash:
d96bcf3af61546626cfb2b73880f76cb
SHA1 hash:
ed7a283cebea32d3cce519d8f1c48e59adb718b9
Link:
https://www.unpac.me/results/6965ed7b-6379-4fe3-8586-0a56e35c6010/
SH256 hash:
b087a4c845235d514eb24a87f9af3c3f4171050906450d2d185e056caa4ba0f6
MD5 hash:
63ba6b8c7406b7c5af6526977517a7bf
SHA1 hash:
704e4e782aa010d23342b5bff350024a355c88d4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6965ed7b-6379-4fe3-8586-0a56e35c6010/
Parent samples :
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
12898cbec097104c225702c61e311cc6e12d0f4ac55b95a1eb41a812e6941748
c11060e98a1fd5927043effed391b0278f0b5ffcc6a0e1afe63cc9b0831d0c50
04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
f1ca0286fa691166ab71220ee3243bcfa4e73b17247e382edaf6c1590d50d3a2
7a39513f428374b50a41c8d30a1704906270005c4675db03d810f9970fd96bbf
e07c9d7c06c5ebc0b53aba5bb6c35edd07169401a08e016ca68fa5677db00370
df8f7e81b9ccea1324a19fd1356c8fb79ea5623ba4095195f86c29f3816b5f7f
80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982
429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542
e98f391c97abc8da96024452a1792e3eb6c559e2a2fbf5ac930ae3d772d833f5
9dddc8004c534fb2ebb6ad63cd96c11a97d87c87c1fc8eb46a6df36ecc341c18
2fd6b2288864f3a099a32bd923f7b3c67db00c979aa2e46db125e104618e92b7
04e7f27915298f09a1486331df3f0e5121e4a7856f41290f48200255b8b82df8
326090842ee6d692e02ae131a2003658939f60e79bceb7bad983cfe16400062f
623c65639a4364546031c5edb9780ab9cbbe5e6713d09518805dcaded8e425a0
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
dc7d5ba2b99378adec017bb8911f3d2efd3cccf02bd0dc270e3c5ea2f875fc94
8fb9729078316a776fe49e10ae501467bac7d4df61278ca89fb08e1252ddb147
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Swisyn
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/934666/
  
Delivery method
Distributed via web download

Comments