MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ed73237c4de3ed96e8d90f4d94dcbb46bf7c947961e40601852b8bad6c03f52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ed73237c4de3ed96e8d90f4d94dcbb46bf7c947961e40601852b8bad6c03f52
SHA3-384 hash: b02cc636cb7f175025c52a6bf253257c8ed9bac7c1b066a72be9c7093bfb1c3ccd8d3dbac0f0db8b21266c66728471ef
SHA1 hash: a7b96e4ebf3423d62690fa3d545b1e2ffcb3d8d4
MD5 hash: d9e4ff69934ce995feaa9e54e0d5ad07
humanhash: pluto-juliet-robert-diet
File name:nass.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:663'040 bytes
First seen:2020-11-17 06:24:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:iwjovZfieCNeZhE75mKL0puDCBPvj6pNZjhigdfeQ4mVPR2JQcqrM7XBT:iwMv5iXts1pFPvjK1tb4mVPRCQc
Threatray 2'935 similar samples on MalwareBazaar
TLSH 4AE4012263A49738D77E1F36B414C2688335AA077819E316DF406CDE3A22F96D51A3F7
Reporter JoulK
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.461.32657.2446.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/538993
Signature
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 318589 Sample: nass.exe Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 34 www.horsfordforvirginia.com 2->34 36 horsfordforvirginia.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Yara detected FormBook 2->44 46 Modifies the prolog of user mode functions (user mode inline hooks) 2->46 11 nass.exe 1 2->11         started        signatures3 process4 signatures5 54 Writes to foreign memory regions 11->54 56 Maps a DLL or memory area into another process 11->56 14 RegAsm.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 2 other signatures 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 grotesqueformation.com 34.102.136.180, 49738, 49739, 49743 GOOGLEUS United States 17->28 30 www.skincider.com 164.88.89.9, 49742, 80 CLAYERLIMITED-AS-APClayerLimitedHK South Africa 17->30 32 4 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ed73237c4de3ed96e8d90f4d94dcbb46bf7c947961e40601852b8bad6c03f52/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 06:25:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3lten6e3y7ns3unsd2nstolwrv7pskhsypeayaykk4lvvwah5ja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784
Formbook
2a8615b0a48f00fdd2165af779fedfb65af589ba9da79f6247ae5ea515e859d1
Formbook
2ea74bf397854358ce0363ce3176f0c0dc40ac0efb6f378422e2d72c8c078372
Formbook
304bf2442018e3ab1341541d15541c1f30d2fabfe252984532dd37be771241f6
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b
Formbook
75f121f9048171649f3ba28afcd30a1dcd668266717b0d98e8bac88afe411fe7
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
c19dda3e71d3e8166c0d106f10eb9fc58036286e50c0cd31dd4efd8a1bc82e7e
Formbook
fad4f5a49b06971b1e9f09356dd43bf47cdeddc1b4af2d6cda4369c73a352cc7
Formbook
+ 2'925 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201117-n1sp5cse9e/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nogyang.com/egem/
Unpacked files
SH256 hash:
9ed73237c4de3ed96e8d90f4d94dcbb46bf7c947961e40601852b8bad6c03f52
MD5 hash:
d9e4ff69934ce995feaa9e54e0d5ad07
SHA1 hash:
a7b96e4ebf3423d62690fa3d545b1e2ffcb3d8d4
Link:
https://www.unpac.me/results/33de573f-879a-4257-84a0-a4ab3e37b057/
SH256 hash:
d55f25ea336942910a755eae0829eb252bcb3a6111948b89879bc70b73978d3d
MD5 hash:
43a09844971ce17679d33716ea1ea608
SHA1 hash:
a2deb2a36169bc175cc7b91f485849d2fd4d91d1
Link:
https://www.unpac.me/results/33de573f-879a-4257-84a0-a4ab3e37b057/
SH256 hash:
81d6fe36a9400a26a6c57795ab74e9db37f8fe96571ab594604f534a7fa8ac38
MD5 hash:
8267b445496d1f0010b0e051ed09bf03
SHA1 hash:
c90ddbcf9bdcf1c7e1c138716f27bc60215f8d9b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/33de573f-879a-4257-84a0-a4ab3e37b057/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9ed73237c4de3ed96e8d90f4d94dcbb46bf7c947961e40601852b8bad6c03f52

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/825564/
  
URLhaus
https://urlhaus.abuse.ch/url/826073/

Comments