MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982
SHA3-384 hash: d3b8e4248d0a828d575185ef8fe0b44beab76f136afcf46707b19817c3eef829714ba687373204a4e31439e929f2467e
SHA1 hash: 0db154e8803c16af52e4bfcb84252e28e2a9c631
MD5 hash: e022df111f1fd982758accff5c4e23de
humanhash: illinois-lithium-sweet-fix
File name:e022df111f1fd982758accff5c4e23de.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'369'088 bytes
First seen:2020-12-18 16:37:40 UTC
Last seen:2020-12-18 18:33:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:PFOq4Anjnf9AEZP0JL5rJRdwKK9eZtkVbBkY:sq4gZwL5rJRm4elB
Threatray 3'227 similar samples on MalwareBazaar
TLSH EC55AE103AE5AB19F23FAF7695D26080DBFAF6736B13E98B2DC103D90252E55CD50326
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e022df111f1fd982758accff5c4e23de.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-18 16:37:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1cf1b647-bef8-4ff3-a420-30879af2722a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108447/
Detection(s):
SecuriteInfo.com.ArtemisE022DF111F1F.6714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566484
Signature
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332326 Sample: TqWufCUvxV.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected AntiVM_3 2->40 42 4 other signatures 2->42 10 TqWufCUvxV.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\TqWufCUvxV.exe.log, ASCII 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 TqWufCUvxV.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.rainbowhillsswimclub.com 154.218.55.251, 49746, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->30 32 saisaharashipping.com 93.104.210.230, 49745, 80 MNET-ASGermanyDE Germany 17->32 34 8 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 wscript.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 09:25:42 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
Formbook
12898cbec097104c225702c61e311cc6e12d0f4ac55b95a1eb41a812e6941748
Formbook
7a39513f428374b50a41c8d30a1704906270005c4675db03d810f9970fd96bbf
Formbook
90ce350a15e0ca0d408b4b8744e51e7c87b6962eee67f1aca9bfb167ddb5106e
Formbook
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
Formbook
b6247c787ec362f884203a581049a638a59a9db8dc6bac8cb88869a45704dfc9
Formbook
df8f7e81b9ccea1324a19fd1356c8fb79ea5623ba4095195f86c29f3816b5f7f
Formbook
e07c9d7c06c5ebc0b53aba5bb6c35edd07169401a08e016ca68fa5677db00370
Formbook
e919d1c10bd867f71a99a7aaa5c52221c4e79341c2389880596a8d1ef9ed5a13
Formbook
f1ca0286fa691166ab71220ee3243bcfa4e73b17247e382edaf6c1590d50d3a2
Formbook
+ 3'217 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/201218-6rylj9l5de/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.thesiromiel.com/kgw/
Unpacked files
SH256 hash:
80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982
MD5 hash:
e022df111f1fd982758accff5c4e23de
SHA1 hash:
0db154e8803c16af52e4bfcb84252e28e2a9c631
Link:
https://www.unpac.me/results/bf2a57b2-b833-4c42-9b8c-4a274d46f288/
SH256 hash:
65f2517db746baf09872e1a1e4ebd9ac2519f10a869a135f52833f7047a468b5
MD5 hash:
079099affb0bbdb079837e721a0a6f5d
SHA1 hash:
b0c75edc8078cffbc6d41800fad0313e7ec0cb66
Link:
https://www.unpac.me/results/bf2a57b2-b833-4c42-9b8c-4a274d46f288/
SH256 hash:
42e7a68b7222d906320ffab12227ef795b0b5caf62afd885c082d2e5f5c7d6c6
MD5 hash:
325949910de2508b932ca47607735f6a
SHA1 hash:
b784089451dc40bfed7277cb8ee197a78cf5126d
Link:
https://www.unpac.me/results/bf2a57b2-b833-4c42-9b8c-4a274d46f288/
SH256 hash:
3ca9cf478845d74c61a836a02908c7d26d5e0b2fb8d03f92bfe5ed4a8865527a
MD5 hash:
ccaf4c52861605afe12d4fb1f927ef32
SHA1 hash:
c8c52901e58187e7597c984fb893410e613d571b
Link:
https://www.unpac.me/results/bf2a57b2-b833-4c42-9b8c-4a274d46f288/
SH256 hash:
b087a4c845235d514eb24a87f9af3c3f4171050906450d2d185e056caa4ba0f6
MD5 hash:
63ba6b8c7406b7c5af6526977517a7bf
SHA1 hash:
704e4e782aa010d23342b5bff350024a355c88d4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf2a57b2-b833-4c42-9b8c-4a274d46f288/
Parent samples :
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
12898cbec097104c225702c61e311cc6e12d0f4ac55b95a1eb41a812e6941748
c11060e98a1fd5927043effed391b0278f0b5ffcc6a0e1afe63cc9b0831d0c50
04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
f1ca0286fa691166ab71220ee3243bcfa4e73b17247e382edaf6c1590d50d3a2
7a39513f428374b50a41c8d30a1704906270005c4675db03d810f9970fd96bbf
e07c9d7c06c5ebc0b53aba5bb6c35edd07169401a08e016ca68fa5677db00370
df8f7e81b9ccea1324a19fd1356c8fb79ea5623ba4095195f86c29f3816b5f7f
80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982
429cc06eefa31821417d3b4f6ec5a69a352513d739499af2c6e9bce39d6d0542
e98f391c97abc8da96024452a1792e3eb6c559e2a2fbf5ac930ae3d772d833f5
9dddc8004c534fb2ebb6ad63cd96c11a97d87c87c1fc8eb46a6df36ecc341c18
2fd6b2288864f3a099a32bd923f7b3c67db00c979aa2e46db125e104618e92b7
04e7f27915298f09a1486331df3f0e5121e4a7856f41290f48200255b8b82df8
326090842ee6d692e02ae131a2003658939f60e79bceb7bad983cfe16400062f
623c65639a4364546031c5edb9780ab9cbbe5e6713d09518805dcaded8e425a0
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
dc7d5ba2b99378adec017bb8911f3d2efd3cccf02bd0dc270e3c5ea2f875fc94
8fb9729078316a776fe49e10ae501467bac7d4df61278ca89fb08e1252ddb147
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/927453/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108447/

Comments