MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5
SHA3-384 hash: 1e2376dfa316277f75c5b983a2a8a02afd2e5aa98e160c6d7605ee84f2049cab02f32f7f4a1d34a1968a733a2ff09872
SHA1 hash: 3f5d0833adbd39715f1d45f1a3c8982c52519bc1
MD5 hash: 65880d23eb6051a1604707371ebb6d2c
humanhash: double-texas-yankee-ack
File name:HussanCrypted.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:741'376 bytes
First seen:2020-10-21 14:24:58 UTC
Last seen:2022-07-08 09:22:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a5d92eea222a4272a60ec00cf7a41b7 (6 x Loki, 6 x AgentTesla, 1 x Formbook)
ssdeep 12288:25/c7YVklcD0+K4cRp8eTTXcy+O8W0qoEREhu4oMeh8mBv4n:0v2OIRLTTXcC5oERkf08Q4
Threatray 2'598 similar samples on MalwareBazaar
TLSH 3FF49E62A2E149F7C02B1B39BD0B57649C25FE613D286D462BF41DCC9F39691382B2D3
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74179/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Webalta-6912039-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.DealPly.jh.16493.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505976
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302045 Sample: HussanCrypted.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 2 other signatures 2->41 10 HussanCrypted.exe 2->10         started        process3 signatures4 49 Detected unpacking (changes PE section rights) 10->49 51 Maps a DLL or memory area into another process 10->51 53 Tries to detect virtualization through RDTSC time measurements 10->53 55 Contains functionality to detect sleep reduction / modifications 10->55 13 HussanCrypted.exe 10->13         started        process5 signatures6 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 13->16 injected process7 dnsIp8 27 www.cleo.vision 91.195.240.94, 49771, 80 SEDO-ASDE Germany 16->27 29 www.baharran.com 88.198.97.25, 49768, 80 HETZNER-ASDE Germany 16->29 31 23 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 raserver.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 14:24:26 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqxjmfntndqa7nf7jviybo74bvx3po6oh6q26yb5grwxvdzekdsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76
Formbook
1ce0c7f388fb8db723745beb75cfd8e16e6b08ed35268c405bc203813123d284
Formbook
339505a9dc4fdae3e5a44a6d33230c75d181a8674bead358b8c9012156f4672d
Formbook
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
92625b5d11e691107b8aa2e733c1be9fe3677b5a86f03e08f239bf6e0d450885
Formbook
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
Formbook
c5eddcaa83e4167df259033ee45a3624c5a700877aac6bc54dd46d1a3a1aacbd
Formbook
e4badaf86c0f22c6b31c97f661ba5af3f757697e7493c2e750a813173dec2273
Formbook
e85ece3cee51156974c3fb8f0e2c707dae2b51b0d2db9e5fb10531d2fdd76ca6
Formbook
+ 2'588 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201021-n9p47tplx6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.eparegistrar.com/cia6/
Unpacked files
SH256 hash:
ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5
MD5 hash:
65880d23eb6051a1604707371ebb6d2c
SHA1 hash:
3f5d0833adbd39715f1d45f1a3c8982c52519bc1
Link:
https://www.unpac.me/results/ef6947e8-78c9-440f-9d60-640b85e1f835/
SH256 hash:
8dd9842ca5eb65d317447a25249785e023dda7755dd3293fe747953c4e62e326
MD5 hash:
a6da1f96f74a04c26cdaf7647d10cf52
SHA1 hash:
5522252e58e045b22a1888d4bb2fc4bbef6594ff
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef6947e8-78c9-440f-9d60-640b85e1f835/
Parent samples :
ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5
4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/74179/

Comments