MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c0e95028944337b1e8a9e8dcc4ba141b535a4ee7dde151ca464238976039337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c0e95028944337b1e8a9e8dcc4ba141b535a4ee7dde151ca464238976039337
SHA3-384 hash: 39498a70cc26c5bf6376d31a0316ac79c89865a2bab486ded0977d376c6cd780967886c847a2def9dd7c94a5e408465a
SHA1 hash: 800da8e187684b05e759f9b4bc16fe479d8a8c69
MD5 hash: 027cab97658a200ad23ccfda1fd16775
humanhash: mockingbird-timing-hydrogen-robin
File name:UZOM POWER.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:706'184 bytes
First seen:2021-08-07 05:45:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97750a00050e37c7b56da7bc3864f0f1 (7 x Formbook, 2 x Loki, 1 x RedLineStealer)
ssdeep 12288:XBZExtz617gNm5YnXDdWj646hqyS3N3dCjli9ZKhefDiH/attLf1nAiw7X:XBZExtzlDdWjt6BSNdkqZKhCeH/ajfhS
Threatray 7'511 similar samples on MalwareBazaar
TLSH T1B6E49F1179419031C2B234310F75E2B24B7D6C642E205A9B67E83E7B7FBC493B635B2A
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UZOM POWER.exe
Verdict:
Malicious activity
Analysis date:
2021-08-07 05:46:14 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/d0c640e2-37c0-423c-a865-e841d6516238

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177112/
Detection(s):
Win.Packed.Pwsx-9883784-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching the process to change network settings
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4c43c666-3485-4745-9726-bc90d4fddaaa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828563
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460994 Sample: UZOM POWER.exe Startdate: 07/08/2021 Architecture: WINDOWS Score: 100 26 www.sutsci.com 2->26 28 www.scottkenan.com 2->28 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 6 other signatures 2->52 10 UZOM POWER.exe 2->10         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 10->54 13 UZOM POWER.exe 10->13         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 Queues an APC in another process (thread injection) 13->62 16 mstsc.exe 13->16         started        19 explorer.exe 13->19 injected process8 dnsIp9 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Tries to detect virtualization through RDTSC time measurements 16->40 22 cmd.exe 1 16->22         started        30 www.thaipayakorn.com 172.255.209.118, 49749, 80 LEASEWEB-USA-SFO-12US United States 19->30 32 torontomassage.club 132.148.226.40, 49755, 80 GO-DADDY-COM-LLCUS United States 19->32 34 12 other IPs or domains 19->34 42 System process connects to network (likely due to code injection or exploit) 19->42 44 Performs DNS queries to domains with low reputation 19->44 signatures10 process11 process12 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c0e95028944337b1e8a9e8dcc4ba141b535a4ee7dde151ca464238976039337/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 07:10:13 UTC
AV detection:
33 of 47 (70.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqhjkaujiqzxwhukt2g4ys5big2tljhopxpbkhfemqrys5qdsm3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1dc173b24c0b503a394568e4a1fff7887dd739cc287e529f25b173dbfea4010b
Formbook
2fcedf25cd8c0df5db7864ff3663f6a923eb3cdf1a30619a2eeb69df58e1c4f1
Formbook
355dd96121c1930f9c9c0f94b6474d5cbeb3bcfd6a7c51a043674cc79a26c891
Formbook
42081326f379275d4b731f76f2d932cd72cd2c404ed654ee281b66b08e59f6f7
Formbook
7e5cbd1d9fa1eab91099fcf24c569ce8e14fdcdc1f4f345d47ffdb5270c9312c
Formbook
9b985974efb3d7555b61cec77f2667cd6aca5f74a07f712b3aa58a54aa03bebb
Formbook
ea38a026b9c1764cc7e1028c9674c2cb6fef4c4861ba643976c686ea79d040f8
Formbook
+ 7'501 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:d8ak loader rat suricata
Link:
https://tria.ge/reports/210807-x8l4jgwb52/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.sutsci.com/d8ak/
Unpacked files
SH256 hash:
f1098cf2ae8172065704ec8de1019c12ad33f32702a85de4cf0d031b9ecffb4f
MD5 hash:
93ce48f18608490a9aa3dce9a0db8d1d
SHA1 hash:
be8942eb02cee58663c7db1b1e14d08e77abd406
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/719a6357-d72b-436e-b9c7-96f2d120b33e/
Parent samples :
2fcedf25cd8c0df5db7864ff3663f6a923eb3cdf1a30619a2eeb69df58e1c4f1
42081326f379275d4b731f76f2d932cd72cd2c404ed654ee281b66b08e59f6f7
9b985974efb3d7555b61cec77f2667cd6aca5f74a07f712b3aa58a54aa03bebb
ea38a026b9c1764cc7e1028c9674c2cb6fef4c4861ba643976c686ea79d040f8
8c0e95028944337b1e8a9e8dcc4ba141b535a4ee7dde151ca464238976039337
SH256 hash:
8c0e95028944337b1e8a9e8dcc4ba141b535a4ee7dde151ca464238976039337
MD5 hash:
027cab97658a200ad23ccfda1fd16775
SHA1 hash:
800da8e187684b05e759f9b4bc16fe479d8a8c69
Link:
https://www.unpac.me/results/719a6357-d72b-436e-b9c7-96f2d120b33e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c0e95028944337b1e8a9e8dcc4ba141b535a4ee7dde151ca464238976039337

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8c0e95028944337b1e8a9e8dcc4ba141b535a4ee7dde151ca464238976039337

(this sample)

  
Dropped by
null
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177112/

Comments