MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
SHA3-384 hash: 62f1d01e7cc649623363b6ce3d71d63b38eb9e37d38a0d858f3433fe7f2564021ccdc9c80f0a680a99d56ef60e6eef0b
SHA1 hash: de7f4a8270fe216e68076ce93243b60d6d6d5f51
MD5 hash: aa6168d4e41ced2091baee9f5d59e11e
humanhash: stream-stream-spaghetti-seventeen
File name:aa6168d4e41ced2091baee9f5d59e11e.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:233'896 bytes
First seen:2021-05-03 08:47:13 UTC
Last seen:2021-05-03 11:06:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 6144:lPXI0pTaBRvIJ331V2a3tOuUggm29YsS7cty0jSO8PIlI1L:a0pTanIJHOggm8cIJaB
Threatray 4'923 similar samples on MalwareBazaar
TLSH 6D34027D22A0D5E7C62307B06AB79D67EBE2D8160271070FF790EB6E381D5E14A1E192
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148332/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.20177.32100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707517
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402678 Sample: ihnxvs562g.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 10 ihnxvs562g.exe 19 2->10         started        process3 file4 30 C:\Users\user\AppData\...\ghvea31n0uw.dll, PE32 10->30 dropped 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 14 ihnxvs562g.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected 21 BackgroundTransferHost.exe 13 14->21         started        process8 dnsIp9 32 www.myfreezic.com 103.224.182.242, 49740, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->32 34 www.spyforu.com 17->34 36 4 other IPs or domains 17->36 46 System process connects to network (likely due to code injection or exploit) 17->46 23 wlanext.exe 17->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-03 06:38:59 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=prrzhnhin2s45re4b6auwf7exoc2urd4dgewanzffkkp6zawzynq._file
Verdict:
malicious
Similar samples:
03805a08ddc03ad125ae1566868e0ccde7965350d760dc212a224ab10520a2d8
Formbook
1e107f01485dd3c413656b5e2d2fdb79166847cd8b3e5f6dc0bcf4895d530c39
Formbook
2080ae2cfe843c0e1754f994b356086718dd6dceedf974ca37b629fb4da817a6
Formbook
3c0c946bd49128824271aa80cde029b625c3c1ca3ba6df6b3408cccddc02296e
Formbook
6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4
Formbook
93fae9b54c0f1960139aa4007a0b8f695d61cdc5219fbfbe885c850a4f43a92d
Formbook
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
Formbook
a3caa0df0bdb2bf954c259a2421958b79c61c5a2dfdefcfbf62b58129f66a56f
Formbook
ce2ca323cae4838375c60305a3706e6828ab9fd8e30b65b1d0f4c87dbce0f29b
Formbook
facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3
Formbook
+ 4'913 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210503-pnjf2hswex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.shoprodeovegas.com/xcl/
Unpacked files
SH256 hash:
974e158ea37951d137839d4189279330aa2e85f5bafa4f273f7007673cd4d3fc
MD5 hash:
7bee24f38e906d08f10c1b51be4be749
SHA1 hash:
588f2f0f8b859e15620fbec8e6381c6addf2a3fd
Link:
https://www.unpac.me/results/172c5be7-f041-4354-8e01-3cac0ed5d313/
SH256 hash:
7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
MD5 hash:
aa6168d4e41ced2091baee9f5d59e11e
SHA1 hash:
de7f4a8270fe216e68076ce93243b60d6d6d5f51
Link:
https://www.unpac.me/results/172c5be7-f041-4354-8e01-3cac0ed5d313/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1187701/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/148332/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 09:01:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0032.001] Data Micro-objective::CRC32::Checksum
1) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0046] File System Micro-objective::Create Directory
5) [C0048] File System Micro-objective::Delete Directory
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0050] File System Micro-objective::Set File Attributes
10) [C0052] File System Micro-objective::Writes File
11) [E1510] Impact::Clipboard Modification
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
14) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
15) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
16) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
17) [C0017] Process Micro-objective::Create Process
18) [C0038] Process Micro-objective::Create Thread