MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dee0eaa7eac6aad2c4a7814d96babd45c25c43c43ab226c403830a5e8470b01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dee0eaa7eac6aad2c4a7814d96babd45c25c43c43ab226c403830a5e8470b01
SHA3-384 hash: 413d4ab1274c070f10468cc1f4414d910af81e5803d0fd5994b23a106cf9db6c0ffe1cbcaed86661c53e619eb6ffb4ac
SHA1 hash: 2bce94385943922147c83ecff9885a90be7512f3
MD5 hash: 948ea18679d4e41402aac119207292d4
humanhash: batman-sink-coffee-fix
File name:Drawings HQ30-DM140.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:850'944 bytes
First seen:2021-11-08 01:05:29 UTC
Last seen:2021-11-08 03:20:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:OhHexvpe47IfpKzAKt5/sWFh5BhvnYjp5wylGl:hNpNkxKzzT/dh5BhvnYjp5wylG
TLSH T1BE055B05A7D44D09C37E03709429A06CED515E7B663DC258BE8E36BF3BBBA10466372B
File icon (PE):PE icon
dhash icon 79e4e4ccccc4c4c0 (11 x Formbook, 9 x RedLineStealer, 3 x AgentTesla)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Drawings HQ30-DM140.exe
Verdict:
Malicious activity
Analysis date:
2021-11-08 04:28:42 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b99813fa-68e7-4732-b912-474bdf51ce50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203118/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.30427.21990.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618877fcd8143ea269ce2bf0/reports/c43ccf7d-ff08-4e86-9c03-e129a77ed027/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e73ffa8d-2cbc-45f4-8bfb-0bd1b706e20a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884923
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 517381 Sample: Drawings HQ30-DM140.exe Startdate: 08/11/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 9 Drawings HQ30-DM140.exe 3 2->9         started        process3 signatures4 51 Injects a PE file into a foreign processes 9->51 12 Drawings HQ30-DM140.exe 9->12         started        15 Drawings HQ30-DM140.exe 9->15         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 12->53 55 Maps a DLL or memory area into another process 12->55 57 Sample uses process hollowing technique 12->57 59 Queues an APC in another process (thread injection) 12->59 17 control.exe 12->17         started        20 explorer.exe 12->20 injected process7 dnsIp8 33 Self deletion via cmd delete 17->33 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Tries to detect virtualization through RDTSC time measurements 17->39 23 cmd.exe 1 17->23         started        27 www.meta-spacex.com 20->27 29 www.globalsxports.com 20->29 31 webredir.vip.gandi.net 217.70.184.50, 49814, 80 GANDI-ASDomainnameregistrar-httpwwwgandinetFR France 20->31 41 System process connects to network (likely due to code injection or exploit) 20->41 signatures9 process10 process11 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4dee0eaa7eac6aad2c4a7814d96babd45c25c43c43ab226c403830a5e8470b01/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 01:06:05 UTC
AV detection:
5 of 45 (11.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxxa5kt6vrvk2lckpakns25l2roclrb4iovse3cahaykl2chbmaq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:wk31 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211108-bf4azsgdal/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.firstho.com/wk31/
Unpacked files
SH256 hash:
7eb30f80bde9ddb3857eff92ffdcae0019c12f0713f0978b1826f1ed03f24bed
MD5 hash:
545927149685d06991791f179918b99c
SHA1 hash:
267831dff59f79ac51ada53d29572366d0829a19
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/17b71d1d-2d20-49a5-8ccd-41b3e86f7588/
Parent samples :
f8d83d34e0fc406604af9a11462e8e8ad2b3cd5d3cebe4576e1792a3b861e84b
4dee0eaa7eac6aad2c4a7814d96babd45c25c43c43ab226c403830a5e8470b01
eec7134cc1487d8774af92e127422beaadfda308d32039afaec0c815ca70dc5c
SH256 hash:
91655863c7906a8d20c7c782144f553c027843a72f2fdab2b1ccc80808083af0
MD5 hash:
b5044dd0e9c91b1a9185d491da7d07f2
SHA1 hash:
a9ff8129771d85f77b6a145f750c70e53f51125e
Link:
https://www.unpac.me/results/17b71d1d-2d20-49a5-8ccd-41b3e86f7588/
SH256 hash:
4cb5eb1302f99bfd520fb32bc7f48fd6376ef2c7a8bf608ecb45b386184ec21d
MD5 hash:
905b81f06eb92b57c8e7d3a868b10eb0
SHA1 hash:
3a99ff5b075e788a9ad143c698f6245b0c1930e5
Link:
https://www.unpac.me/results/17b71d1d-2d20-49a5-8ccd-41b3e86f7588/
SH256 hash:
4dee0eaa7eac6aad2c4a7814d96babd45c25c43c43ab226c403830a5e8470b01
MD5 hash:
948ea18679d4e41402aac119207292d4
SHA1 hash:
2bce94385943922147c83ecff9885a90be7512f3
Link:
https://www.unpac.me/results/17b71d1d-2d20-49a5-8ccd-41b3e86f7588/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4dee0eaa7eac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4dee0eaa7eac6aad2c4a7814d96babd45c25c43c43ab226c403830a5e8470b01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/203118/

Comments