MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92420ebd5feeb4171db8a4877ac6eb2dd594fd4d07192408b26aa9b98c5d048d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92420ebd5feeb4171db8a4877ac6eb2dd594fd4d07192408b26aa9b98c5d048d
SHA3-384 hash: d2c38a7c8e48b8228c514483c8df9be275de0a6ae4bfdccd8a6b4042eca7dba09f34151e734ddf68ba6de98bc7ac58a0
SHA1 hash: e3b553368eec14ea84ba32f291a17dc614c64670
MD5 hash: 06aafd2382d63afc9874125e5c1062b0
humanhash: kilo-yankee-seventeen-mockingbird
File name:06aafd2382d63afc9874125e5c1062b0.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:333'824 bytes
First seen:2021-01-14 06:30:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e7da020c2fad0c59a3d5e97971484548 (3 x Formbook, 2 x AgentTesla, 2 x Loki)
ssdeep 6144:sr1I5DbAQcHAORYANc2wPYShrCT1X9ZpKltQzUvrYbdw3CK:Q1I5fAPHtwdWTvZAQoYCP
Threatray 3'343 similar samples on MalwareBazaar
TLSH 9664F15A72F2C072D0B6027042945BB3E1BA7D32067480BBFFD84D6E5EB49D016766AF
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06aafd2382d63afc9874125e5c1062b0.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-14 06:32:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4cc7538-9b88-43d9-ae4f-224989a918df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111917/
Detection(s):
SecuriteInfo.com.Artemis06AAFD2382D6.25671.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580889
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339475 Sample: 9110tW1F44.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 34 www.aboutwheelchair.com 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 11 9110tW1F44.exe 2->11         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 11->52 54 Tries to detect virtualization through RDTSC time measurements 11->54 14 9110tW1F44.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.uqur88.com 154.208.181.79, 49731, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->28 30 www.wxxxtw.com 23.107.183.45, 49745, 80 LEASEWEB-USA-LAX-11US United States 17->30 32 4 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 msiexec.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/92420ebd5feeb4171db8a4877ac6eb2dd594fd4d07192408b26aa9b98c5d048d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 17:03:11 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjba5pk7522bohnyusdxvrxlfxkzj7kna4msicfsnku3tdc5asgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1f9d1bffe188b76bbd97cb2fd59ab47248b71fcede2f415ca29fcc0f1040bbee
Formbook
317d6e7564bb5a207b7e3c7f1fa895e0682557ba0a51515b6fc931c70b373a58
Formbook
3809041ce9fcb7f00674e65db2fd63f94373df583d6e3e869943aeb08b34ad28
Formbook
6387c2471bf35b00168f223167b632f3fa43a1fdd28e2de60eea41fd8275271e
Formbook
75f121f9048171649f3ba28afcd30a1dcd668266717b0d98e8bac88afe411fe7
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
928c710fc7eaa23a9b84ab77dc39377dc4a0782e3482d8bbda505f955b37d2f8
Formbook
c1a564800071499d39ba2f7e92c403c9ec87ca7837bafd76d00dbe37589c9eb3
Formbook
c2f223414349d527d823e8ad555297ab26dccbb39d4bf1d3b7030c232723fbff
Formbook
e34426ec0d12a3acde221f2a5e5476528e028c1fc980a7c2d35dcfdde9caccab
Formbook
+ 3'333 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210114-64nw7vzzke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.evana-rohanihijab.com/iic6/
Unpacked files
SH256 hash:
92420ebd5feeb4171db8a4877ac6eb2dd594fd4d07192408b26aa9b98c5d048d
MD5 hash:
06aafd2382d63afc9874125e5c1062b0
SHA1 hash:
e3b553368eec14ea84ba32f291a17dc614c64670
Link:
https://www.unpac.me/results/8f899243-8374-4697-9994-91eeb8ff77a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92420ebd5feeb4171db8a4877ac6eb2dd594fd4d07192408b26aa9b98c5d048d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 92420ebd5feeb4171db8a4877ac6eb2dd594fd4d07192408b26aa9b98c5d048d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/958866/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111917/

Comments