MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95
SHA3-384 hash: 6aba403a7b0c3f1a62d4186a550ed9b41837f4541e3d602d6447394703e4bc8cf4729036d3c271f048d2322ef5f0aa8c
SHA1 hash: 74d2836881bc7b2e63fe846fd2469e91a610f0de
MD5 hash: 01a8617169df63c622484ccf961c238d
humanhash: kentucky-six-september-papa
File name:HussCrypted.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:429'568 bytes
First seen:2020-11-03 14:21:24 UTC
Last seen:2020-11-03 16:04:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f22891b7d5ebcb8d8f6c829f0ff2412 (1 x Formbook)
ssdeep 6144:cJCt6ush78UMboD+qoKqbscksSCjhIGzYv1dJNiukj:vt6us6oZbQ3hIGcvBNiu
Threatray 2'786 similar samples on MalwareBazaar
TLSH 859423B6CE33044BF260CD7369CF4EE4E969E9924160CA75ACD9FCAD157B4804E053BA
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82071/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Changing a file
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519266
Signature
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 308732 Sample: HussCrypted.exe Startdate: 03/11/2020 Architecture: WINDOWS Score: 100 31 www.boostsantestore.com 2->31 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 11 HussCrypted.exe 6 2->11         started        signatures3 process4 dnsIp5 39 192.168.2.1 unknown unknown 11->39 57 Maps a DLL or memory area into another process 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Contains functionality to detect sleep reduction / modifications 11->61 15 HussCrypted.exe 11->15         started        18 splwow64.exe 11->18         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 15->20 injected process9 dnsIp10 33 cmplubumbashi.net 67.20.76.65, 49758, 80 UNIFIEDLAYER-AS-1US United States 20->33 35 www.archidzen.com 109.70.26.37, 49756, 80 RU-CENTERRU Russian Federation 20->35 37 21 other IPs or domains 20->37 49 System process connects to network (likely due to code injection or exploit) 20->49 24 msiexec.exe 20->24         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53 55 Tries to detect virtualization through RDTSC time measurements 24->55 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 07:12:00 UTC
File Type:
PE (Exe)
Extracted files:
142
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
295b66b15ac99b8f3684995b627af139171b64b050baf27aafb0fffb8ab4f4eb
Formbook
339505a9dc4fdae3e5a44a6d33230c75d181a8674bead358b8c9012156f4672d
Formbook
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
76b5083ce1a34c82e63cded85ecdf767f9d254e99a0d49174fbdd4a449857e41
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5
Formbook
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
Formbook
d9959e883e5040a3f0b0eeed42e79f42ef2274dc8d00c3f5c4e4161cd7796708
Formbook
da455c9459a51e64557b7f36c33a3ef60fdc43b647d1f2f480c3de5d31b2aa2f
Formbook
e85ece3cee51156974c3fb8f0e2c707dae2b51b0d2db9e5fb10531d2fdd76ca6
Formbook
+ 2'776 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan upx
Link:
https://tria.ge/reports/201103-gqnp2ryjcj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
UPX packed file
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.eparegistrar.com/cia6/
Unpacked files
SH256 hash:
4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95
MD5 hash:
01a8617169df63c622484ccf961c238d
SHA1 hash:
74d2836881bc7b2e63fe846fd2469e91a610f0de
Link:
https://www.unpac.me/results/0e2bfa90-6b96-4868-b1b2-8864fd2b873f/
SH256 hash:
371d1c5717500162f136b1e7347b814b07f00467146741791372e54f55143a7a
MD5 hash:
d79a7937560fec22a6527afba55c0518
SHA1 hash:
ad521a11fae758e53bc127bb0fb30f785581c8e2
Link:
https://www.unpac.me/results/0e2bfa90-6b96-4868-b1b2-8864fd2b873f/
SH256 hash:
8dd9842ca5eb65d317447a25249785e023dda7755dd3293fe747953c4e62e326
MD5 hash:
a6da1f96f74a04c26cdaf7647d10cf52
SHA1 hash:
5522252e58e045b22a1888d4bb2fc4bbef6594ff
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0e2bfa90-6b96-4868-b1b2-8864fd2b873f/
Parent samples :
ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5
4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/82071/
  
URLhaus
https://urlhaus.abuse.ch/url/783011/

Comments