MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d
SHA3-384 hash: 6c788b0f0cfacbf7f59f7070b0b1de151ee4a20332939c69938e5f5c96acb4cc219873d5bb92944ec9b6693aecacc35b
SHA1 hash: 1e0d89830223f96d7cd6c45d4e8df61c4bdefaf3
MD5 hash: 54d709f695415f2af4c61bb53edffabf
humanhash: bravo-wisconsin-maine-cola
File name:54d709f695415f2af4c61bb53edffabf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'001'063 bytes
First seen:2020-10-23 16:01:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:JAOcZypEwhZ+lxATtFNvmXxg539FQZMaBQi2jo:jnzaKJ6Xxw96ZMA3
Threatray 4'507 similar samples on MalwareBazaar
TLSH AD251201B7D688B2D4321D325939B722AC7D7D205E34CA2FA3E40D6DDE761C1A635FA2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75103/
Detection(s):
Win.Malware.Vasal-9406011-0
Create hunting rule

Win.Malware.Vasal-9635248-0
Create hunting rule

Win.Dropper.Vasal-9635263-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Sending a UDP request
Creating a process from a recently created file
Creating a file
Launching a process
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508274
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303257 Sample: BG4O02IUxj.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected FormBook 2->61 63 3 other signatures 2->63 11 BG4O02IUxj.exe 36 2->11         started        process3 file4 39 C:\Users\user\AppData\Roaming\...\rfroxpc.pif, PE32 11->39 dropped 73 Drops PE files with a suspicious file extension 11->73 15 rfroxpc.pif 3 11->15         started        signatures5 process6 file7 41 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 15->41 dropped 43 Multi AV Scanner detection for dropped file 15->43 45 Writes to foreign memory regions 15->45 47 Allocates memory in foreign processes 15->47 49 2 other signatures 15->49 19 RegSvcs.exe 15->19         started        22 RegSvcs.exe 15->22         started        24 mshta.exe 15->24         started        26 6 other processes 15->26 signatures8 process9 signatures10 65 Modifies the context of a thread in another process (thread injection) 19->65 67 Maps a DLL or memory area into another process 19->67 69 Sample uses process hollowing technique 19->69 71 2 other signatures 19->71 28 explorer.exe 19->28 injected 30 WerFault.exe 22->30         started        process11 process12 32 netsh.exe 28->32         started        signatures13 51 Modifies the context of a thread in another process (thread injection) 32->51 53 Maps a DLL or memory area into another process 32->53 55 Tries to detect virtualization through RDTSC time measurements 32->55 35 cmd.exe 32->35         started        process14 process15 37 conhost.exe 35->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d/
Threat name:
Win32.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 14:43:50 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vadjso7smbmny3f6qlzqlfc5s7oplmywcfogoj3usuf4ybrguogq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d5af6ad459d48db0b27ab6ab4584191097bfc33c4f2475ce1b3a66e523e2bef
Formbook
106f9f66c54be3c20be8f04ce63f5d6183d6eb9e79a6b243b5c820cc01ee24cb
Formbook
10a9aab39489aa507d35bb18b357ca6c9f8642d8fa27fc1ad9c7de03c8e9415d
Formbook
5e5dc622108b69d77e09abf99287d670c8f0249e59971ee49ef7506adb572ecf
Formbook
7044d232a489bff666d788729e41db7c74ad7f0d94f1a212fce0694855ecd899
Formbook
76e2040321ed7cc5ff6ced0a91b8e8546b7f9a4eab5802beb8ce137b0da48244
Formbook
9cfc6d15c9f94fbd02270634f89d713e26e943cf55bf088471771144ce471633
Formbook
b35bd4c70b7e7b6ef3a3a0b1196720b542e78137476b52380b352af1633432b2
Formbook
bcaf7b4adc919fd5aaae24902b8135e2ad6d13249e9cb784b1532b52e40449b5
Formbook
eacd132f69b64ef7a47c959fd92f50343be23e5768f0476c665870f5de4f89ee
Formbook
+ 4'497 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201023-dtzxwzv77a/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.amazon-i3.com/nyk/
Unpacked files
SH256 hash:
a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d
MD5 hash:
54d709f695415f2af4c61bb53edffabf
SHA1 hash:
1e0d89830223f96d7cd6c45d4e8df61c4bdefaf3
Link:
https://www.unpac.me/results/a166f64f-f30c-4c83-ab69-40d50668bbb2/
SH256 hash:
8f2f6a440650eaae01e1cf238f97dc3ea949f3e9efa3cd5f9ce0df22a13d144f
MD5 hash:
0af2b13c5db8a8172dd30f2538483f8d
SHA1 hash:
10e51031677946fc8d3c81b0b5c6975a2d4f12de
Link:
https://www.unpac.me/results/a166f64f-f30c-4c83-ab69-40d50668bbb2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/75103/
  
URLhaus
https://urlhaus.abuse.ch/url/739822/
  
Delivery method
Distributed via web download

Comments