MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7
SHA3-384 hash: 7c6bd26e133ff6fe3a339cf91252f15b5fa4dce3f8c3c1933861dd8d532da35866fc6034648c04c1ffb45a4012ce1502
SHA1 hash: c5e8abe7bb7683916dcbdb323e7c2f7dc7340d91
MD5 hash: e2f0ff641824237a52d26a0fbf321926
humanhash: angel-ten-green-monkey
File name:AWB #834763201.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:942'592 bytes
First seen:2023-05-20 12:53:04 UTC
Last seen:2023-05-20 14:52:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:5dFR8P0vZCFH6hFwWGT6u+q5rKmpB3f78WvftBJCK1eED:kP0vZC9BWGGu+qgmPIY914
Threatray 3'327 similar samples on MalwareBazaar
TLSH T1DA15E05126B88F51E2766BF96672E13443B12C11EB26D3095DE02CDB3DBAF862701B93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
AWB #834763201.exe
Verdict:
Malicious activity
Analysis date:
2023-05-20 12:56:16 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/2f62ad6f-6d0f-4e01-8914-8a5347b344af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67121029.11959.24085.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6468c2eb9d046b41ac3d520c/reports/bacb88af-d43b-4799-820c-7ef84800b321/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c97a2423-9199-4474-a19e-d1a83ead817a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237990
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 870984 Sample: AWB_#834763201.exe Startdate: 20/05/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 7 other signatures 2->42 10 AWB_#834763201.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\AWB_#834763201.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 AWB_#834763201.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 1 1 14->17 injected process8 dnsIp9 30 bangaloreescortscity.com 162.241.85.151, 49682, 80 OIS1US United States 17->30 32 www.czwjjgcbearing.com 160.121.86.217, 49683, 80 CLAYERLIMITED-AS-APClayerLimitedHK South Africa 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 09:35:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcqrpxopogwpznswuaxnsjuy2np52akqumph4rtyxozrx4ykws3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0802394968eda97506836e12c3deb32af74ad1ffcc86b22e4d654d10b865241c
Formbook
28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4
Formbook
2d3c7fefde60268ec96906144d74058651f6d5d7ed5993a8b1ed00ca40a2d7f0
Formbook
2fb0a24e905687a5443fbe50d21033e4318da3275260bd82d016a9af346bb09b
Formbook
3b86e5743a7a35e6c3e1dc7cb1a844299e7b1f9eeea5bb7e51ca0de52b808803
Formbook
59d3d0d82273ee3a78483d3508a8247593a06826f8531de8ca072718e6609598
Formbook
9048c7507764dd285566e7bcdd0db1a5ca6554fc08739e9af182d4cc0a18e201
Formbook
9428a8cb5cf276628dfa0fe68ad6e9169a0a12eb6d00636cd64c39111ddb3aab
Formbook
a4515730dc2be572ac039d78bfc3c3e2e1bfa4a737e67f0a709b29d94c737ca6
Formbook
e107d1577a610b65847d6474085b90abd5d3299719d8e3544c36c127a5c7e8ea
Formbook
+ 3'317 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ca82 rat spyware stealer trojan
Link:
https://tria.ge/reports/230520-p47j7sfa5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
98e1311b8f852d84ca8015bf0397901a0f1a87dcdbbdce999e47ad09bea9f10f
MD5 hash:
04cf82b2c488a2f1b101288e84b12897
SHA1 hash:
6e579a9f44b591cc213f60d8ae7ac16760f02b3c
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/38555fe5-a649-43e5-b9b4-f37a8dd10fd6/
Parent samples :
28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4
9bd6ff186abaaa8ad5ba8e89d2f12c87ea5fdac36e14af8192ad43655a90a972
9048c7507764dd285566e7bcdd0db1a5ca6554fc08739e9af182d4cc0a18e201
80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7
6ea7ca3a65d2621c8a9c7502eb9a7f914d5a155a3791e551cc3308f638ea307c
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/38555fe5-a649-43e5-b9b4-f37a8dd10fd6/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
6239bba450b440b76b4ca62a2e904de64776c9e312e509a862912b7bbd69e886
MD5 hash:
799fa5df4bbcef6c220c745b06d69a79
SHA1 hash:
30b05a9389f902ae76ca0728da40991b5541e2fa
Link:
https://www.unpac.me/results/38555fe5-a649-43e5-b9b4-f37a8dd10fd6/
SH256 hash:
b178430918654661133e3cc86f68618dac7c1a56092e89c8d474cf3f05390a23
MD5 hash:
a74d4ff639d43c44d7dcf925dfc3b2d1
SHA1 hash:
1db08e8f485ac81d554e836a784589ab4cee8486
Link:
https://www.unpac.me/results/38555fe5-a649-43e5-b9b4-f37a8dd10fd6/
SH256 hash:
7a58e024aea7daaeee27c353843db6a9109498d796835c2aebc2a53e98584a1c
MD5 hash:
0a9144ce9b402d35e912b382cb3ca95d
SHA1 hash:
08d780bd503f671e32e1f25a53d05243054c5c0e
Link:
https://www.unpac.me/results/38555fe5-a649-43e5-b9b4-f37a8dd10fd6/
SH256 hash:
80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7
MD5 hash:
e2f0ff641824237a52d26a0fbf321926
SHA1 hash:
c5e8abe7bb7683916dcbdb323e7c2f7dc7340d91
Link:
https://www.unpac.me/results/38555fe5-a649-43e5-b9b4-f37a8dd10fd6/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80a117ddcf71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment

Comments