MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 620ae1d3eb33c1af2241a3a28a2a91da72d8579c8a722ed1c3b4072b4f33a56f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 620ae1d3eb33c1af2241a3a28a2a91da72d8579c8a722ed1c3b4072b4f33a56f
SHA3-384 hash: 5304be82b6545235e4128b5376689ddd8330ad9874bbe925fa91d0bb059d935d5c603ec0f38891522f0153afb9c651d7
SHA1 hash: d218faba31588edfca49d6284bd7fff539f965ac
MD5 hash: ca0d5a00209e3a1cce689ab87f96f435
humanhash: vermont-michigan-iowa-victor
File name:ca0d5a00209e3a1cce689ab87f96f435.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:420'963 bytes
First seen:2020-11-19 09:27:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 12288:WansP6vzhRCur/CRoQtVlSzeA9Hdbl0ZYWUNaUBGJ3x4:mAzv/CiSczeA9Hdx0+W4BGtx4
Threatray 3'216 similar samples on MalwareBazaar
TLSH A19422C96A19C8A3D93801B11179A97BBAF7AF0A458D9A474F547F0E7C34CA1370C2DA
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/542625
Signature
Creates executable files without a name
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320410 Sample: u8u7GG8XMY.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 2 other signatures 2->52 11 u8u7GG8XMY.exe 65 2->11         started        process3 file4 32 C:\Users\user\AppData\...\DrongoAccord.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\Temp\...\.dll, GIF 11->34 dropped 36 C:\Users\user\AppData\...\vswebdesignedui.dll, PE32 11->36 dropped 38 8 other files (none is malicious) 11->38 dropped 70 Creates executable files without a name 11->70 15 rundll32.exe 11->15         started        signatures5 process6 signatures7 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->72 74 Hijacks the control flow in another process 15->74 76 Maps a DLL or memory area into another process 15->76 18 cmd.exe 15->18         started        process8 signatures9 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->54 56 Modifies the context of a thread in another process (thread injection) 18->56 58 Maps a DLL or memory area into another process 18->58 60 3 other signatures 18->60 21 explorer.exe 18->21 injected process10 dnsIp11 40 www.sympubs.com 64.98.145.30, 49756, 80 TUCOWS-3CA Canada 21->40 42 theconciergeunlimited.com 66.235.200.147, 49754, 80 CLOUDFLARENETUS United States 21->42 44 www.theconciergeunlimited.com 21->44 62 System process connects to network (likely due to code injection or exploit) 21->62 25 explorer.exe 21->25         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66 68 Tries to detect virtualization through RDTSC time measurements 25->68 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/620ae1d3eb33c1af2241a3a28a2a91da72d8579c8a722ed1c3b4072b4f33a56f/
Threat name:
Win32.Trojan.Delikle
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 06:40:46 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mifodu7lgpa26isbuoriukur3jznqv44rjzc5uodwqdswtztuvxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2cc0ceea32e11e6a3e25097f9628105a81d641a7333e1e15678fac797f4e7abe
Formbook
52a6c71e63ed3857be2fa0fb314ce631820994fb7e852fb66bca923efbee2380
Formbook
5806ff817e0b0c3c57e727b04c77411487179c3676150f3f1cf536d3fac33fa5
Formbook
681b37be0d24067f1cb3b29fa998c9ff305841c53a686ac68c295f0784abf40e
Formbook
6847d25820be1a4d252df58d3652e103f33af5a43f12febeae71ac66385b0380
Formbook
95eaab8711de8becc8c2625b90d9f44f5d6c50505a8939dfc3528adada49ed4d
Formbook
a4cb0f9cc73c9dda17e2c27e0c35cec8b5f58d08910f4ad237814f8f3a9b3723
Formbook
deee3ad263c3947b20580cce3310c53219217e21588479e7152eda86b9f6f08e
Formbook
e66a524df69a19ea2fc31787e557c8738473af8e4dc7e5ca87619910b3f0a121
Formbook
ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224
Formbook
+ 3'206 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201119-5fwzlrpbh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.geteugenejustice.com/sub/
Unpacked files
SH256 hash:
620ae1d3eb33c1af2241a3a28a2a91da72d8579c8a722ed1c3b4072b4f33a56f
MD5 hash:
ca0d5a00209e3a1cce689ab87f96f435
SHA1 hash:
d218faba31588edfca49d6284bd7fff539f965ac
Link:
https://www.unpac.me/results/540d80bd-3318-4383-ab44-b108e07606eb/
SH256 hash:
fbadf4561cf87097d98d03abb86eb3159219f306cddf57183bf27debdb3ea913
MD5 hash:
050ece98269d418e4fce5014a3ae04c6
SHA1 hash:
5535ea9d7b98319c72aacc1e383cb3aea653b3fc
Link:
https://www.unpac.me/results/540d80bd-3318-4383-ab44-b108e07606eb/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 620ae1d3eb33c1af2241a3a28a2a91da72d8579c8a722ed1c3b4072b4f33a56f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/831969/
  
Delivery method
Distributed via web download

Comments