MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c59292352ccbebbc63ea3c740a7981594b6e8dbea866e1c1c8f66b0a0aa61eba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c59292352ccbebbc63ea3c740a7981594b6e8dbea866e1c1c8f66b0a0aa61eba
SHA3-384 hash: 15387a943719ade2f6c89fe7ae29b15cbbe1622f16e096aae2f751d47d26aa747b0a01b2a0d7f1cde17422d736592286
SHA1 hash: 443a1035d7c658f2a88ab2e56876fc28aecb2d6a
MD5 hash: 016fb231fa20e3598a89b29b28cf07e5
humanhash: equal-jig-wisconsin-grey
File name:c59292352ccbebbc63ea3c740a7981594b6e8dbea866e1c1c8f66b0a0aa61eba
Download: download sample
Signature Formbook
Create hunting rule
File size:474'112 bytes
First seen:2020-11-13 16:10:09 UTC
Last seen:2024-07-24 21:17:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0922943cd5e72743dc95ef474069cfd (8 x AgentTesla, 8 x NanoCore, 5 x NetWire)
ssdeep 12288:5mg7+oiiER0LNqUbubaF1oVnHBtnMi1M/NXuQL55:5mOWN+7CZHBtMn4G
Threatray 2'919 similar samples on MalwareBazaar
TLSH 6DA423989A6017A9D3E481F63A8B5FEF4E29D893B1A4C2372C19D1CC60BE1D5CD24633
Reporter seifreed
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Generic-9790344-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534471
Signature
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316335 Sample: OZjLyhkYEf Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 10 OZjLyhkYEf.exe 2->10         started        process3 signatures4 51 Maps a DLL or memory area into another process 10->51 53 Tries to detect virtualization through RDTSC time measurements 10->53 55 Contains functionality to detect sleep reduction / modifications 10->55 13 OZjLyhkYEf.exe 10->13         started        process5 signatures6 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 13->16 injected process7 dnsIp8 29 alekhyasarees.com 173.82.106.140, 49755, 80 MULTA-ASN1US United States 16->29 31 ghs.googlehosted.com 172.217.168.83, 49749, 80 GOOGLEUS United States 16->31 33 4 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 msdt.exe 16->20         started        23 autoconv.exe 16->23         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 25 cmd.exe 1 20->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c59292352ccbebbc63ea3c740a7981594b6e8dbea866e1c1c8f66b0a0aa61eba/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 16:27:19 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywjjenjmzpv3yy7khr2au6mblffw5dn6vbtodqoi6zvqucvgd25a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
2f7928f55bdc7b386f2163c027d9ac29cf2cee2dd29b54fee39f18bc8db8344b
Formbook
350e219c13047857943a54ec0f55a0db19e2980cbff9d73f1aea34b9bd0b17de
Formbook
515f7d3e80be5b43204e165789a22254722d90b39c3a130f91949d1a511ff082
Formbook
8f06b49b371c6b257b716689b767ebf4bbc75391d0cf152b9bbe498ef55d017c
Formbook
a9a6a44f3eca95cc7785debebea767461798f27978628c58a06474005b8855c8
Formbook
b3b093d992d26b0d21a61a778598abd5dd87649a89f724c2798f60f9dc19de1a
Formbook
b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b
Formbook
cd1cf9ec6f4414bc33e3e18485e72af68252f3a765a585fe383214372797f41c
Formbook
e34426ec0d12a3acde221f2a5e5476528e028c1fc980a7c2d35dcfdde9caccab
Formbook
eefab144fefdb2883084329ab3755717ed6882b348eea18aa611a0a446c39f69
Formbook
+ 2'909 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan upx
Link:
https://tria.ge/reports/201113-v1ftjqsjln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
UPX packed file
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ozsmarthomes.com/iic6/
Unpacked files
SH256 hash:
c59292352ccbebbc63ea3c740a7981594b6e8dbea866e1c1c8f66b0a0aa61eba
MD5 hash:
016fb231fa20e3598a89b29b28cf07e5
SHA1 hash:
443a1035d7c658f2a88ab2e56876fc28aecb2d6a
Link:
https://www.unpac.me/results/4a638af3-d427-418c-bc80-8bf00ca12ae9/
SH256 hash:
aebb87e8bbae504173a35c378cf59077e6c0e03a9972e92b3b484f56ff421e07
MD5 hash:
e67acabdda3b9ccfeeeefaa8dc47bc6a
SHA1 hash:
e58f9ffa0399794d5efd1fb91de666f9e63dda4d
Link:
https://www.unpac.me/results/4a638af3-d427-418c-bc80-8bf00ca12ae9/
SH256 hash:
22199826b8537e23f3cb3c28f1b3dce52f5173e8e8a20da430afc75c575dc8ff
MD5 hash:
2207bda3c1237c2c79a97e6c07c0670a
SHA1 hash:
a610f92df2681808b2d3134c1738e88f28b3941b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4a638af3-d427-418c-bc80-8bf00ca12ae9/
Parent samples :
2f7928f55bdc7b386f2163c027d9ac29cf2cee2dd29b54fee39f18bc8db8344b
350e219c13047857943a54ec0f55a0db19e2980cbff9d73f1aea34b9bd0b17de
cd1cf9ec6f4414bc33e3e18485e72af68252f3a765a585fe383214372797f41c
c59292352ccbebbc63ea3c740a7981594b6e8dbea866e1c1c8f66b0a0aa61eba
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments