MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 726a3798f80c7e482b512dc777bc692965136190990a5fed138934a546944121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 726a3798f80c7e482b512dc777bc692965136190990a5fed138934a546944121
SHA3-384 hash: 7b630c131383757681454dd3980e1098b53983a82ec05d6e6e72366735c8d756df7a93b51081bd7338488b7f5a0f3c93
SHA1 hash: 9e9a454762c2ecfc6326efadd83128bf3b49aca8
MD5 hash: f6e56a72afa365ae2b4018648e048940
humanhash: lake-bulldog-oranges-river
File name:f6e56a72afa365ae2b4018648e048940.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:231'933 bytes
First seen:2021-05-10 07:40:01 UTC
Last seen:2021-05-10 08:03:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 6144:L9X0GgpHIYgtoJiW3giRorQaB7yUL4+NlqygtG3:l0VpHIYSoJiW3giiUaBPZa2
Threatray 5'152 similar samples on MalwareBazaar
TLSH 0034121E4290C5B3C8231B311C796F2EBFEFC3052084595B5BA46FA978836D6272F765
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/153814/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/777280
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 409676 Sample: KVYhrHPAgF.exe Startdate: 10/05/2021 Architecture: WINDOWS Score: 100 31 www.travellpod.com 2->31 33 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 11 KVYhrHPAgF.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\tvjy7oe88s7.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 15 KVYhrHPAgF.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 plataforyou.com 50.87.169.152, 49729, 80 UNIFIEDLAYER-AS-1US United States 18->35 37 www.shuairui.net 104.161.54.152, 49747, 80 IOFLOODUS United States 18->37 39 3 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Uses ipconfig to lookup or modify the Windows network settings 18->51 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/726a3798f80c7e482b512dc777bc692965136190990a5fed138934a546944121/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 01:41:08 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojvdpghybr7eqk2rfxdxppdjffsrgymqteff73itre2kkruuieqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1f108a10b866def65686fcb0e0c10612152288ea1f7a6158e5ada37f26d03265
Formbook
3c0c946bd49128824271aa80cde029b625c3c1ca3ba6df6b3408cccddc02296e
Formbook
6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4
Formbook
78b11874a66b80ec78962b27c352a643d1a11c7f5cf9273f0db06df3f4f7e76c
Formbook
7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
Formbook
7f81bdd235dca279812a46cec7f585bde9d681906dba1398e8ac86dfc877d079
Formbook
c09b2348606b04620b185f4658474843eef3d9ec99ae70145a481b955d50aebf
Formbook
ce2ca323cae4838375c60305a3706e6828ab9fd8e30b65b1d0f4c87dbce0f29b
Formbook
f88dc07bd8d9ecaabaaad76a092029221077b4eba8d67714dc750b15a59d74f3
Formbook
facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3
Formbook
+ 5'142 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210510-zdjcwlt6re/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.shoprodeovegas.com/xcl/
Unpacked files
SH256 hash:
fb7d1bac5c557b31f902a51dce8ad460b0bcb41a5bf5953b4b14a0c606abb544
MD5 hash:
461366c30c8d7869834ae3c80c70c831
SHA1 hash:
f87c4af01a7130dcf0b6ed060b58dcf02af15b09
Link:
https://www.unpac.me/results/0b39c4a7-e3e1-4075-ae03-4c7e5408ca3b/
SH256 hash:
726a3798f80c7e482b512dc777bc692965136190990a5fed138934a546944121
MD5 hash:
f6e56a72afa365ae2b4018648e048940
SHA1 hash:
9e9a454762c2ecfc6326efadd83128bf3b49aca8
Link:
https://www.unpac.me/results/0b39c4a7-e3e1-4075-ae03-4c7e5408ca3b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/726a3798f80c7e482b512dc777bc692965136190990a5fed138934a546944121

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 726a3798f80c7e482b512dc777bc692965136190990a5fed138934a546944121

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/153814/
  
URLhaus
https://urlhaus.abuse.ch/url/1187701/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-10 08:09:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0045] File System Micro-objective::Copy File
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [E1510] Impact::Clipboard Modification
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process