MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90ce350a15e0ca0d408b4b8744e51e7c87b6962eee67f1aca9bfb167ddb5106e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90ce350a15e0ca0d408b4b8744e51e7c87b6962eee67f1aca9bfb167ddb5106e
SHA3-384 hash: b6db38d1f67c4fff4e659d13eb1864331f8dcdc3d4525cfc8ac9f11ef45a605d3dcf16ee32a0ae5eda570766c3f79400
SHA1 hash: ce9ac083d9310cd62dcb4d94d948acc0bbdd206f
MD5 hash: ef7a4266f7bddf855d86e5431268e182
humanhash: georgia-shade-high-summer
File name:ef7a4266f7bddf855d86e5431268e182.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:406'239 bytes
First seen:2020-12-03 14:32:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 12288:Eanw8tVRcQrHTEIh0paS/eucvmr9efOQDP:48tVGQrzE2YaAeRvYvQDP
Threatray 3'319 similar samples on MalwareBazaar
TLSH A1842315372088AFD06152702E7E3B6CEEAC243B930B1E07DB749F16BD67387262E565
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106620/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/554758
Signature
Antivirus / Scanner detection for submitted sample
Hijacks the control flow in another process
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326477 Sample: tFHw4DzeTt.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 4 other signatures 2->59 11 tFHw4DzeTt.exe 47 2->11         started        process3 file4 31 C:\Users\user\AppData\...\CyborgAncon.dll, PE32 11->31 dropped 33 C:\Users\user\AppData\Roaming\...\wbemDC.dll, PE32 11->33 dropped 35 C:\Users\user\AppData\Roaming\...\vcbuild.dll, PE32 11->35 dropped 37 4 other files (none is malicious) 11->37 dropped 14 rundll32.exe 11->14         started        process5 signatures6 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->69 71 Hijacks the control flow in another process 14->71 73 Maps a DLL or memory area into another process 14->73 17 cmd.exe 14->17         started        process7 signatures8 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->45 47 Modifies the context of a thread in another process (thread injection) 17->47 49 Maps a DLL or memory area into another process 17->49 51 3 other signatures 17->51 20 explorer.exe 17->20 injected process9 dnsIp10 39 pulaofactory.com 34.102.136.180, 49750, 80 GOOGLEUS United States 20->39 41 www.ffzye.com 106.13.13.182, 80 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd China 20->41 43 5 other IPs or domains 20->43 61 System process connects to network (likely due to code injection or exploit) 20->61 24 WWAHost.exe 20->24         started        signatures11 process12 signatures13 63 Modifies the context of a thread in another process (thread injection) 24->63 65 Maps a DLL or memory area into another process 24->65 67 Tries to detect virtualization through RDTSC time measurements 24->67 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90ce350a15e0ca0d408b4b8744e51e7c87b6962eee67f1aca9bfb167ddb5106e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 14:33:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdhdkcqv4dfa2qeljodujzi6psd3nfro5zt7dlfjx6ywpxnvcbxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0aa79342c00ecadc1a8771b574911abbc7bd89d833598ea1bf9ad7ffa63c2ee9
Formbook
171bb4112c7a42e6ba98bb14516a15dc2a016f970e00e0d64224b5f76ebc6a77
Formbook
4c648b7b14b2eb3f4d58468a82684d68ee1ef6bed84a57545454de8849da9535
Formbook
5866468d4084d09ee1b47f5135e8968923581b6f6fb5bacaed97b0e3da3a6999
Formbook
6a9159d672c380ec9f2d7ecf683147e10176ad5cdebcd9319c65ec4fe91be3f5
Formbook
80f733776515fd3c59c8be1c08bbbb9a257b02bbb2c9228c0a8831f846562508
Formbook
8ec65b9bced5fa5082ed515bd116be235dc59be1b2608432e249dfcabed7a64a
Formbook
da32993754454442eef39fdeebd12d93d25299369f4db9c8bf64b6884a07c4ed
Formbook
db4aad17cb58975d3c42dc37b92e7c8bfdce82da52c5eb6a5e87709cf906a684
Formbook
e95f8244e8eb4cf8d3d34fc357653e1a2cc81fb2d049830bdbb10bd6b554f6dd
Formbook
+ 3'309 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201203-3a148calrn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fuentenebro.wine/ugk/
Unpacked files
SH256 hash:
90ce350a15e0ca0d408b4b8744e51e7c87b6962eee67f1aca9bfb167ddb5106e
MD5 hash:
ef7a4266f7bddf855d86e5431268e182
SHA1 hash:
ce9ac083d9310cd62dcb4d94d948acc0bbdd206f
Link:
https://www.unpac.me/results/d7129c6f-6aa2-40e2-a02f-63b686091610/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90ce350a15e0ca0d408b4b8744e51e7c87b6962eee67f1aca9bfb167ddb5106e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 90ce350a15e0ca0d408b4b8744e51e7c87b6962eee67f1aca9bfb167ddb5106e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/727958/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106620/

Comments