MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a116bfcbc1c440c1491513ee9efde46fe7f2e7f24fcdb3f43ee21d0917face7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a116bfcbc1c440c1491513ee9efde46fe7f2e7f24fcdb3f43ee21d0917face7
SHA3-384 hash: 477b1c5ef4b887876936389c8991600c883114912da5c51fbaec162514c7b301203ffccf20e56f91fde3702aac73f6e5
SHA1 hash: b7cceb6c9e8c50cda1b6f8643f2d123ca100d8b2
MD5 hash: 7ceac88b29ab061f0fc1f9915006060f
humanhash: two-lactose-vermont-wolfram
File name:NEW_ORDERS 122020 2 x 40 HQ.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:824'832 bytes
First seen:2021-05-08 08:27:35 UTC
Last seen:2021-05-08 09:01:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:tT7OnYMImOwwilE1IBQv5GRPX/PJc8uqeyUkUx:57OnYvmOai+CoMfkUx
Threatray 4'828 similar samples on MalwareBazaar
TLSH D105F03653946B55E1BEA7798934E22013F2BC45E772CA0EBEE534DF2473B814A76302
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153076/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/718158
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408009 Sample: NEW_ORDERS 122020 2 x 40 HQ.exe Startdate: 08/05/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 9 other signatures 2->42 10 NEW_ORDERS 122020 2 x 40 HQ.exe 3 2->10         started        process3 file4 28 C:\...28EW_ORDERS 122020 2 x 40 HQ.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 NEW_ORDERS 122020 2 x 40 HQ.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Queues an APC in another process (thread injection) 14->58 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.top-trend.website 185.104.45.21, 49722, 80 UKRAINE-ASUA Ukraine 17->30 32 www.supinapp.com 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 explorer.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8a116bfcbc1c440c1491513ee9efde46fe7f2e7f24fcdb3f43ee21d0917face7/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-05-08 08:28:19 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=riiwx7f4drcayferke7ot366i37h6lt7et6nwp2d5yq5bel7vttq._file
Verdict:
malicious
Similar samples:
27084ca2efd9f211569b913d31d8caee75cb773e73367c3f6cd40a78889a1934
Formbook
2ceaf0bcc42eb42fd5f0762a630d78d965c6d4188016f32429f2eb86330da7dc
Formbook
738ab100dc0c1db979bc68b02da95d90f59b0da83a5f4fb89d6c140ffac1517b
Formbook
7d76e48c4b21b8cae638d6f9dc5c49cb5e37d45855f47025e5eba8213c608aba
Formbook
85e3d87034ef45bfd5cb1234cde6b6c66543e1a77426dadd6a75b01f2c5ab502
Formbook
965df8ebef029defa94503159ecc0bb6d34368723093287b6b812983ed3fdd77
Formbook
b04fb6a2bc53196885c36c1de64a717a47bd0c450f2948999c368cf489e9ffb8
Formbook
b9ec25f02746e41791c31aa20c281f9a490a999962853f4b5122e94fb2f1aec2
Formbook
d746f1d3cdebbe05d98d18fc189e42ec8b0c2865abe01e28011da58b3d8c71b4
Formbook
f3bb0f029466577eb6ae2f65253d518335a8d4b7862454445d32a8339499614d
Formbook
+ 4'818 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210508-j1rxhm38vj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.supinapp.com/grv/
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/a05e5806-e609-4144-801b-4c6ebe29cbbf/
SH256 hash:
8a116bfcbc1c440c1491513ee9efde46fe7f2e7f24fcdb3f43ee21d0917face7
MD5 hash:
7ceac88b29ab061f0fc1f9915006060f
SHA1 hash:
b7cceb6c9e8c50cda1b6f8643f2d123ca100d8b2
Link:
https://www.unpac.me/results/a05e5806-e609-4144-801b-4c6ebe29cbbf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/8a116bfcbc1c440c1491513ee9efde46fe7f2e7f24fcdb3f43ee21d0917face7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153076/

Comments