MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7044d232a489bff666d788729e41db7c74ad7f0d94f1a212fce0694855ecd899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7044d232a489bff666d788729e41db7c74ad7f0d94f1a212fce0694855ecd899
SHA3-384 hash: b1a21ffa3d33791b1986f1d930a26ea47ed6a301a19fdc47d27678fced5916aa8540bc0de079c20b8ce655442e09bb57
SHA1 hash: 45485738c66c69694c8c91e1024b4b906a3d414c
MD5 hash: 43a82e52d08111ebf4b2a1a7bc2a1266
humanhash: pizza-diet-low-sierra
File name:43a82e52d08111ebf4b2a1a7bc2a1266.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'019'574 bytes
First seen:2020-10-19 11:02:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:JAOcZyp4D4UcyCPotKxg539FQZMaBQi2jM:jwD4U9aotKxw96ZMAF
Threatray 2'784 similar samples on MalwareBazaar
TLSH 13251202B7D688B2D53229325939AB166D7C3D201F28CA2FE3D4497DDE761C19624FB3
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72925/
Detection(s):
Win.Malware.Vasal-9406011-0
Create hunting rule

Win.Malware.Nanocore-9406023-1
Create hunting rule

Win.Dropper.Vasal-9635263-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Launching a process
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495323
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300119 Sample: 6BzhLLexUG.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 11 6BzhLLexUG.exe 39 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\...\bsxxob.pif, PE32 11->37 dropped 67 Drops PE files with a suspicious file extension 11->67 15 bsxxob.pif 3 11->15         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 15->39 dropped 41 Multi AV Scanner detection for dropped file 15->41 43 Writes to foreign memory regions 15->43 45 Allocates memory in foreign processes 15->45 47 Injects a PE file into a foreign processes 15->47 19 RegSvcs.exe 15->19         started        22 RegSvcs.exe 15->22         started        24 mshta.exe 15->24         started        26 6 other processes 15->26 signatures8 process9 signatures10 57 Modifies the context of a thread in another process (thread injection) 19->57 59 Maps a DLL or memory area into another process 19->59 61 Sample uses process hollowing technique 19->61 63 Queues an APC in another process (thread injection) 19->63 28 explorer.exe 19->28 injected 65 Tries to detect virtualization through RDTSC time measurements 22->65 process11 process12 30 cscript.exe 28->30         started        signatures13 69 Modifies the context of a thread in another process (thread injection) 30->69 71 Maps a DLL or memory area into another process 30->71 73 Tries to detect virtualization through RDTSC time measurements 30->73 33 cmd.exe 30->33         started        process14 process15 35 conhost.exe 33->35         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7044d232a489bff666d788729e41db7c74ad7f0d94f1a212fce0694855ecd899/
Threat name:
Win32.Spyware.FormBook
Create hunting rule
Status:
Suspicious
First seen:
2020-10-19 11:04:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9
Formbook
76e2040321ed7cc5ff6ced0a91b8e8546b7f9a4eab5802beb8ce137b0da48244
Formbook
7fce676b063449eecd1236727598513639a7fd166d6e2f86dce138b97636d572
Formbook
90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b
Formbook
9cd4df25010125f2ef3eeef44503b3c2b58435af758fe7213d053a60f018f3d8
Formbook
9cfc6d15c9f94fbd02270634f89d713e26e943cf55bf088471771144ce471633
Formbook
a30dd99039152a76aacb5607d79b400098d9cd24350c0121fe4f7811177c0dbc
Formbook
a943fc4408c2f59f2df0afabf3836e5adae92a8f4a4b1da0270e313d8ea78445
Formbook
ab62f6c3ea852d99ce529f9c61012ab324bb007f79cc6cba9c8f6c1aaba4c561
Formbook
d6c73d397215d259bfb6168e9c0a6c29bb8e684509877e0ec62aba0c817a25fa
Formbook
+ 2'774 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201019-m651wq2fpn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.amazon-i3.com/nyk/
Unpacked files
SH256 hash:
7044d232a489bff666d788729e41db7c74ad7f0d94f1a212fce0694855ecd899
MD5 hash:
43a82e52d08111ebf4b2a1a7bc2a1266
SHA1 hash:
45485738c66c69694c8c91e1024b4b906a3d414c
Link:
https://www.unpac.me/results/2ff3d619-305f-43cf-bddb-1bc107b77ed2/
SH256 hash:
9eb827943e51a1bb42cba24e7b845e74e62b5043e0433bd06668f70538f40678
MD5 hash:
03abf1fdcbd95752c0228a88996721b8
SHA1 hash:
c18990475a825dee36ea3448d0c3f236a9fb1023
Link:
https://www.unpac.me/results/2ff3d619-305f-43cf-bddb-1bc107b77ed2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7044d232a489bff666d788729e41db7c74ad7f0d94f1a212fce0694855ecd899

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7044d232a489bff666d788729e41db7c74ad7f0d94f1a212fce0694855ecd899

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/717186/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/72925/

Comments