MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81587d1883eba143c62f4247410fb283f2c6f07620acfa357aa41bb84a5eae81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81587d1883eba143c62f4247410fb283f2c6f07620acfa357aa41bb84a5eae81
SHA3-384 hash: eb267d7faba58c5fd672a45fa185e105dfd34539084538a9b70d251b0ec33bb352defc08fa8018bfaabbb672a8a3075d
SHA1 hash: 1a3dc0b89072f145bb25418d995650bc61dd936d
MD5 hash: 1822051c0a5d632126f6edc45c245b9b
humanhash: early-moon-washington-fish
File name:QTN 79-21180088.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:395'264 bytes
First seen:2022-01-17 10:05:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cs9r9OB1RwpwicOKjH/bPquMAwREtU6KBRTS9ekRRRRRER:Z9r9OB7wpwFjDqGCEtUHS9ekRRRRRER
Threatray 13'225 similar samples on MalwareBazaar
TLSH T11E841251B1ED67B6E6BA07F1E022251057B1296EF013DB493E8BB0DF0D21B425A4AF37
Reporter madjack_red
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QTN 79-21180088.exe
Verdict:
Malicious activity
Analysis date:
2022-01-17 10:23:59 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6a7372ee-d9ea-4dd4-ad1b-07401f973462

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219801/
Detection(s):
SecuriteInfo.com.Trojan.Hosts.49477.30444.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61e53f560f8c757253c3e7e8/reports/8615c547-ca05-4d60-8703-da56cb03a223/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75e3a80d-8a13-489e-adfe-a095ab3fafb7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921725
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 554203 Sample: QTN 79-21180088.exe Startdate: 17/01/2022 Architecture: WINDOWS Score: 100 47 www.acupressuretips.com 2->47 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 14 other signatures 2->67 11 QTN 79-21180088.exe 7 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\DDzuCaphaHSiRG.exe, PE32 11->39 dropped 41 C:\...\DDzuCaphaHSiRG.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\Users\user\AppData\Local\Temp\tmp78B.tmp, XML 11->43 dropped 45 C:\Users\user\...\QTN 79-21180088.exe.log, ASCII 11->45 dropped 73 Adds a directory exclusion to Windows Defender 11->73 15 QTN 79-21180088.exe 11->15         started        18 powershell.exe 24 11->18         started        20 schtasks.exe 1 11->20         started        22 QTN 79-21180088.exe 11->22         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Sample uses process hollowing technique 15->79 81 Queues an APC in another process (thread injection) 15->81 24 explorer.exe 15->24 injected 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        process9 dnsIp10 49 xu6f5w5seihl.xyz 216.18.208.202, 49820, 80 WEBNXUS United States 24->49 51 www.xu6f5w5seihl.xyz 24->51 69 System process connects to network (likely due to code injection or exploit) 24->69 71 Performs DNS queries to domains with low reputation 24->71 32 wscript.exe 24->32         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 32->53 55 Modifies the context of a thread in another process (thread injection) 32->55 57 Maps a DLL or memory area into another process 32->57 59 Tries to detect virtualization through RDTSC time measurements 32->59 35 cmd.exe 1 32->35         started        process14 process15 37 conhost.exe 35->37         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/81587d1883eba143c62f4247410fb283f2c6f07620acfa357aa41bb84a5eae81/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 10:06:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfmh2ged5oquhrrpijducd5sqpzmn4dwecwpunl2uqn3qss6v2aq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0522489c1b0eff1e817ab93264228b374c3d39562faf11e8248883ab2b52002d
Formbook
2799478f81991ca4ba86ccf7a234f95199cf3743f6a1112f20666b6ce104e557
Formbook
400558d78a7f45c87f3e0376dd0082f6df8dc35a4e547b2c8bdd44a01f978a65
Formbook
7e3e2a98f50147b5dc6027917bfea6e0e0cfbb885c1bb6680f8e9ab9d5557dc8
Formbook
af6d1f6a274a8eb43f9f515f9a5b99fa0163237794d6b27d6f9658b1b1615c11
Formbook
ca211fa9a62ed048d36a51492b5bbd7a39934b1afb94fbd888d1a4bd7f54fe43
Formbook
d9e6cbd72f298a92da436afa4f798a3cbc4b951c4e7532c57b4809e7a2d1ee4d
Formbook
ff3f3250034862434276a28909e3290dc17c89d6aab4e784044253ee31f136ad
Formbook
+ 13'215 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:v32s rat spyware stealer trojan
Link:
https://tria.ge/reports/220117-l4hz3ahdd9/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
f62ebbfcf693a6a69684b0338bbf15808445ed81d1edb1aee6701882f216cc9c
MD5 hash:
8dd708ed57fcbe25fdd6ffacfcc6157c
SHA1 hash:
e3f14c7976145114f263768936b95bd57e1488dd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bfe949ff-715d-4142-93d7-3e88663d5a9d/
Parent samples :
81587d1883eba143c62f4247410fb283f2c6f07620acfa357aa41bb84a5eae81
bdfb763b51cd4a618ad0d10388f1f478d1acddc7917891a990e8f390c9319b76
SH256 hash:
ba29108498b9c23eaf3db856acaf5030390fe09314afc3e88cb63f529379fbd7
MD5 hash:
c2e4ec11f62182b87d239dbdee3e5e5c
SHA1 hash:
3ba472b792e6122b8fb49c2d77fab8d950e3fd14
Link:
https://www.unpac.me/results/bfe949ff-715d-4142-93d7-3e88663d5a9d/
SH256 hash:
505e2399f8ea8c7703d6eb618d704eacc73c2ca91cfbfca074d92bf1e518e3af
MD5 hash:
f01ecc839ff879e6f59ee20b213d404a
SHA1 hash:
22c0e4a35e9705a5b582b845fd9a58d58c999bd4
Link:
https://www.unpac.me/results/bfe949ff-715d-4142-93d7-3e88663d5a9d/
SH256 hash:
81587d1883eba143c62f4247410fb283f2c6f07620acfa357aa41bb84a5eae81
MD5 hash:
1822051c0a5d632126f6edc45c245b9b
SHA1 hash:
1a3dc0b89072f145bb25418d995650bc61dd936d
Link:
https://www.unpac.me/results/bfe949ff-715d-4142-93d7-3e88663d5a9d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/81587d1883eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81587d1883eba143c62f4247410fb283f2c6f07620acfa357aa41bb84a5eae81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219801/

Comments