MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e
SHA3-384 hash: 7b9b5d33d7061b79cfc45e3f6e9e78c81ef5b0d4509da80c5f622747ac046a3cd99427fec2b636107f29e725ab11e439
SHA1 hash: 73e8625983cb413b91b608db347177584c680a22
MD5 hash: 717297fec68e9172593a36a67549619f
humanhash: ack-beer-nebraska-friend
File name:Bdcuhmcgbsvmxhmuasrulqqnfbjdnogomk.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:833'536 bytes
First seen:2021-09-11 15:54:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6f9ce49927a1276962e131ee30a4701 (4 x AveMariaRAT, 2 x NetWire, 2 x RemcosRAT)
ssdeep 12288:GDylNhPTW3jR+9bHoraZlojpF/b8PmcuVpvC1VGEdPj:j7I3N8DoraZ6d8unzUV1
Threatray 9'262 similar samples on MalwareBazaar
TLSH T1F1054C35E1E829FEE05647F91C2971F684227E3138187CD96EB538C80EBA64361357AF
dhash icon acacacb6a2968eaa (13 x RemcosRAT, 4 x Formbook, 4 x AveMariaRAT)
Reporter AndreGironda
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bdcuhmcgbsvmxhmuasrulqqnfbjdnogomk.exe
Verdict:
Malicious activity
Analysis date:
2021-09-11 15:58:10 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/8c4bf4fb-d865-413e-aac0-2ebe540a4745

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187074/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Zusy.400069.18306.23715.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1411ce3c-6f7d-4ab6-af98-6bf578d2f1be
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849219
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481648 Sample: Bdcuhmcgbsvmxhmuasrulqqnfbj... Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 4 other signatures 2->40 10 Bdcuhmcgbsvmxhmuasrulqqnfbjdnogomk.exe 15 2->10         started        process3 dnsIp4 32 cdn.discordapp.com 162.159.130.233, 443, 49738, 49739 CLOUDFLARENETUS United States 10->32 50 Writes to foreign memory regions 10->50 52 Allocates memory in foreign processes 10->52 54 Creates a thread in another existing process (thread injection) 10->54 56 Injects a PE file into a foreign processes 10->56 14 mobsync.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 2 other signatures 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.kensyu-kan.com 156.250.206.123, 49779, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->28 30 www.debbiewilsondesigns.com 17->30 42 System process connects to network (likely due to code injection or exploit) 17->42 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 13:40:06 UTC
AV detection:
25 of 44 (56.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwakw6jwbmesxnoy7ja5cq4i377f55bihg3nxp3ud4golq2cjupa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19fea0b558bc85df1bec0bd5a086fd2678767117999762731b0f6fe15e1c590a
Formbook
1a7126ebae2322bac10b972bd00d62687e5f5e5b7f59c6ab63b9310180f3ce4e
Formbook
3da43dfd3613eeaf2ed56f10624f2dabdb80948c842c98fd0e26688fe55728a7
Formbook
6b93224c145b221ac786bf10b1471af61722e45bbd41a029789170ea7f1c0751
Formbook
7d0cc599bf46f1b454dc8a9c5abe86f6ba3c97032f153864513b98ccde3bc0cb
Formbook
87946dcd976eb13af37e24ff68e36a03d2f46a9ae474f336207cf03cbbb0b508
Formbook
c26154711ca9d9d48de370f242deb560bd0b99a0c8f12a2d1db5d4cd6e25d107
Formbook
caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08
Formbook
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
Formbook
+ 9'252 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:3nop rat spyware stealer trojan
Link:
https://tria.ge/reports/210911-tcsdesbec4/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.jakesplacebarbers.com/3nop/
Unpacked files
SH256 hash:
cd4b225505e84218ef7418c8e5f41acbb67c51bd43e9ddcfa25341259377d3df
MD5 hash:
b7816cb3535b2f2675804d3052295003
SHA1 hash:
db4588853aa1ec16b1f2d29b1e873a653a1ecb13
Link:
https://www.unpac.me/results/cf80518d-7844-4227-b08e-96c6e51f4134/
SH256 hash:
4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e
MD5 hash:
717297fec68e9172593a36a67549619f
SHA1 hash:
73e8625983cb413b91b608db347177584c680a22
Link:
https://www.unpac.me/results/cf80518d-7844-4227-b08e-96c6e51f4134/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4d80ab79360b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 8b516901a17ec32794de8c3577cba8cdcc9e85577a5d2e8a244cd202b5b01cc7

Formbook

Executable exe 4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1610002/
  
Link
https://menshaway.blogspot.com/2021/07/iocs-1172021.html
  
X
https://twitter.com/JAMESWT_MHT/status/1407989410965200901
  
Link
https://tria.ge/210911-ck1lbsage2
  
Dropped by
SHA256 8b516901a17ec32794de8c3577cba8cdcc9e85577a5d2e8a244cd202b5b01cc7
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187074/

Comments