MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c
SHA3-384 hash: 2fecefcc541ee5b3fbe36aa3dbb3616f29022264c84b03370f17877de95166a19ddfa0b604121ceb8614db62b9b230b5
SHA1 hash: 95657425b7d3a3bd81426e76637ba77d3ccd3d8b
MD5 hash: c9679e89c82e025b9855189876f92761
humanhash: sixteen-artist-grey-happy
File name:c9679e89c82e025b9855189876f92761.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:289'149 bytes
First seen:2021-08-05 05:57:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 6144:k9PsOLUu1ITOgcWXg38+UT0Tf3OkKNqos0f3boqReR0+:kZQ1Zg38+UMOLL8RR0+
TLSH T12C54F111F1804536E4320AFACDB96755001FBB702F7967E3E2A82C5E4DB96D23E3958B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9679e89c82e025b9855189876f92761.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 05:59:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a8200465-df32-464c-8978-aa727afc4833

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176520/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a file
Sending a UDP request
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process by context flags manipulation
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e0e0949-f965-459c-9698-92dfb3715235
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827870
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460300 Sample: dVUsIZmrvk.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 41 www.tinsley.website 2->41 43 www.asmfruits-almacenes.com 2->43 45 tinsley.website 2->45 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 8 other signatures 2->63 12 dVUsIZmrvk.exe 4 2->12         started        signatures3 process4 file5 33 C:\Windows\svchost.com, PE32 12->33 dropped 35 C:\Users\user\AppData\Local\...\DismHost.exe, PE32 12->35 dropped 37 C:\Users\user\AppData\Local\...\setup.exe, PE32 12->37 dropped 39 117 other malicious files 12->39 dropped 81 Creates an undocumented autostart registry key 12->81 83 Drops PE files with a suspicious file extension 12->83 85 Drops executable to a common third party application directory 12->85 87 Infects executable files (exe, dll, sys, html) 12->87 16 dVUsIZmrvk.exe 12->16         started        signatures6 process7 signatures8 53 Maps a DLL or memory area into another process 16->53 55 Tries to detect virtualization through RDTSC time measurements 16->55 19 dVUsIZmrvk.exe 16->19         started        process9 signatures10 65 Modifies the context of a thread in another process (thread injection) 19->65 67 Maps a DLL or memory area into another process 19->67 69 Sample uses process hollowing technique 19->69 71 Queues an APC in another process (thread injection) 19->71 22 explorer.exe 19->22 injected process11 dnsIp12 47 matcitekids.com 50.87.248.20, 49716, 80 UNIFIEDLAYER-AS-1US United States 22->47 49 www.ivoirepneus.com 213.186.33.5, 49718, 80 OVHFR France 22->49 51 11 other IPs or domains 22->51 73 System process connects to network (likely due to code injection or exploit) 22->73 26 colorcpl.exe 22->26         started        signatures13 process14 signatures15 75 Modifies the context of a thread in another process (thread injection) 26->75 77 Maps a DLL or memory area into another process 26->77 79 Tries to detect virtualization through RDTSC time measurements 26->79 29 cmd.exe 1 26->29         started        process16 process17 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 05:58:09 UTC
AV detection:
45 of 46 (97.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uldktvuatq6pf2qrbcvoqztxvk5dd336f4iac4zrofv63uvi7eoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210805-h53yaprktn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies system executable filetype association
Unpacked files
SH256 hash:
a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c
MD5 hash:
c9679e89c82e025b9855189876f92761
SHA1 hash:
95657425b7d3a3bd81426e76637ba77d3ccd3d8b
Link:
https://www.unpac.me/results/376e294e-bc1e-4c0e-a77d-5df899d07d2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1335110/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176520/

Comments