MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
SHA3-384 hash: 81d9a8e4ae5b2bb971ae9ed3e8144544b4c8e2de2f656bd3e2244116d435cffc7a4b9a9d9e30389dd289dce8dcd13fe3
SHA1 hash: cdced77e176e38ff459cdea08941de26861647cd
MD5 hash: bf75ed61e1b1f7b310ec1d999077c4dd
humanhash: nevada-triple-earth-ceiling
File name:bf75ed61e1b1f7b310ec1d999077c4dd.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:552'960 bytes
First seen:2020-11-20 18:32:04 UTC
Last seen:2020-11-20 20:42:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:iYHsi433VV/WKmD8UT9Qw4RB07JglwNtAyYtoUqqwyniC:7Hs73NmD/6w4yOwrC9qgi
Threatray 2'994 similar samples on MalwareBazaar
TLSH 92C4124AF34CC666C5AF08BF64B051DE8371C103A121FE136D9CE4B6AE43B50A55B9AF
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
389
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/544415
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321308 Sample: NQQWym075C.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 35 www.qzrpxx.com 2->35 37 www.keitakora.com 2->37 39 3 other IPs or domains 2->39 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 2 other signatures 2->55 11 NQQWym075C.exe 1 2->11         started        signatures3 process4 signatures5 71 Maps a DLL or memory area into another process 11->71 14 RegAsm.exe 11->14         started        17 NQQWym075C.exe 11->17         started        process6 signatures7 73 Modifies the context of a thread in another process (thread injection) 14->73 75 Maps a DLL or memory area into another process 14->75 77 Sample uses process hollowing technique 14->77 81 2 other signatures 14->81 19 explorer.exe 14->19 injected 79 Writes to foreign memory regions 17->79 23 RegAsm.exe 17->23         started        process8 dnsIp9 41 www.sabaicraft.com 192.64.147.164, 49743, 80 VOODOO1US United States 19->41 43 thrust-board.com 34.102.136.180, 49728, 49730, 49745 GOOGLEUS United States 19->43 45 14 other IPs or domains 19->45 57 System process connects to network (likely due to code injection or exploit) 19->57 25 wlanext.exe 12 19->25         started        29 cscript.exe 19->29         started        59 Modifies the context of a thread in another process (thread injection) 23->59 61 Maps a DLL or memory area into another process 23->61 63 Sample uses process hollowing technique 23->63 signatures10 process11 dnsIp12 47 www.sz360buy.com 25->47 65 Modifies the context of a thread in another process (thread injection) 25->65 67 Maps a DLL or memory area into another process 25->67 69 Tries to detect virtualization through RDTSC time measurements 25->69 31 cmd.exe 1 25->31         started        signatures13 process14 process15 33 conhost.exe 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 10:55:12 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ne2xnbhmr6b5ikgsamg3l46vqzyyeb7imrlumxt72n5tws34jwza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
005b07f4994dac828c9c730744e73a4fde81ce34bd642f6835985871a2fb0084
Formbook
321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b
Formbook
5120376bed226fac5d8eb936eb1f798fc4f7f51e263e40a2e9b16fcb949eb6e2
Formbook
543297a97a78b4347302bded28c19777fc5a7771f5c20b8042cbac3e0baadfec
Formbook
59be3e15ddff51758d23796f5528e93ff6c5164486bd0416ff25dc0ddc33f29c
Formbook
6499e8029a2f0db6a6a601d425217cd6bf076fe96accdce24fe042b24001bc8f
Formbook
c18c5e02d67ca2dea08e13f3731c5dd0f5d8833bf2b606287c97e1d053564b85
Formbook
c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37
Formbook
ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f
Formbook
f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
Formbook
+ 2'984 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201120-mbx5t3nq6e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.teelinkz.com/o56q/
Unpacked files
SH256 hash:
69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
MD5 hash:
bf75ed61e1b1f7b310ec1d999077c4dd
SHA1 hash:
cdced77e176e38ff459cdea08941de26861647cd
Link:
https://www.unpac.me/results/da17f000-917b-44fe-8a82-de3a0dc109b7/
SH256 hash:
3b3b4f78fa8910f98def162613db352329f632a7e37b4c3f3ec0da0b7b65ee79
MD5 hash:
25abba58ec980dde6ef9c72b54562be8
SHA1 hash:
997a6c8177e99977c7be1c9ae9ce1a4c7f053ddd
Link:
https://www.unpac.me/results/da17f000-917b-44fe-8a82-de3a0dc109b7/
SH256 hash:
b831be9d2ba12011abd74da5d60a3cf56f52e94dcdd97d9cda2c2a02c2ce15e8
MD5 hash:
76e3566aee88919c013fdd299788df12
SHA1 hash:
7f193b53f2e948c97f1c9858658da5cc95adec82
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/da17f000-917b-44fe-8a82-de3a0dc109b7/
Parent samples :
69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
c61f614dcb99b9ca9d5671a78e38480e51af4cfb1a11605564e55b4ad8c2407d
d6fc2a83aa93c4fb115d6755006950aa4372055dba75b7f78b9e5d20dd007ea6
bd612f435faf86c9e9e30ea9f3d64375598f83c7f8ae9d9034c0323ea4623029
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/836467/
  
Delivery method
Distributed via web download

Comments