MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs 7 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693
SHA3-384 hash: ed5ef24e7fd9fba87339149524fa571707a2afdf497b515a24fcfd4c38c7f9ad5687b617deca87d3d528a3b04160f733
SHA1 hash: 24c38d07046c2781f01d98ae3d7b1d9a80ea69e0
MD5 hash: e4086615e3011d916a50689cef433c77
humanhash: jersey-vermont-michigan-july
File name:D94C8028FA7FD7062DC2CD8C78B458D68BC7C8E8E260A.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:5'700'202 bytes
First seen:2021-07-24 04:06:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d17be67c8d0394c5c1b8e725359ed89 (5 x Adware.Generic, 4 x njrat, 3 x NanoCore)
ssdeep 98304:3EAKCzqdfS72BW2WLASB3MgsESIXaM3dm8j6o8DQDvALRmn6BKVq:0LNS7tASVMgdR3sWx5LALonQK4
Threatray 425 similar samples on MalwareBazaar
TLSH T1F24622274F867CC7DC05AC30AF3427E49D814AE7AD065DE723E037866ABB49513981BE
dhash icon 12b27269d8dccc6d (1 x Formbook)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
http://web24host.com/a/a/www//1.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://web24host.com/a/a/www//1.jpg https://threatfox.abuse.ch/ioc/162662/
http://web24host.com/a/a/www//7.jpg https://threatfox.abuse.ch/ioc/162663/
http://web24host.com/a/a/www//2.jpg https://threatfox.abuse.ch/ioc/162664/
http://web24host.com/a/a/www//4.jpg https://threatfox.abuse.ch/ioc/162665/
http://web24host.com/a/a/www//6.jpg https://threatfox.abuse.ch/ioc/162666/
http://web24host.com/a/a/www//5.jpg https://threatfox.abuse.ch/ioc/162667/
http://web24host.com/a/a/www//3.jpg https://threatfox.abuse.ch/ioc/162668/

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
D94C8028FA7FD7062DC2CD8C78B458D68BC7C8E8E260A.exe
Verdict:
No threats detected
Analysis date:
2021-07-24 04:09:44 UTC
Tags:
installer
Link:
https://app.any.run/tasks/93b198e0-3183-4487-81a1-f913878c559d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173814/
Detection(s):
Win.Packed.Bulz-9769773-0
Create hunting rule

Win.Malware.Bulz-9778250-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Win.Malware.Zusy-9781646-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.Vidar.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

SecuriteInfo.com.PSW.Generic8.CDKL.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/177ef7f6-e1c3-4ce8-b1ef-ed4fa5c497e7
Result
Threat name:
AveMaria Oski StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821138
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AveMaria stealer
Yara detected Oski Stealer
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-12-24 11:24:38 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fgiakh2p7lqmloczwghrncy22f4pshi4jqk7sbhx3zbplxky2jq._file
Verdict:
malicious
Similar samples:
12f5634cd28b25f6dcde9a1d7902d64ab4ded48b50e06e4ec0f583e03a156125
Formbook
1860347130f68ba0d084750816ca0fc532b8647d89e36ff53c0355e73a46d332
Formbook
2efb273760c5f443d4fc9269ba66f258debf0d9c68ca5172a2d947a39fefe148
Formbook
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
Formbook
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
Formbook
916bd03b40de6bfa498311e3a70d3e98c50e8255fd413d446daab77951224856
Formbook
a9e2cff74c2afe7a6d87d7cb25bc41f044f8b492541729fb1503408b7ede6fa2
Formbook
c41aa6d6eeac57851b0a00a619609ed764072881b85b7dad25ac30f2856eda43
Formbook
db23d6f5e2123cde47f4e3178bf18063aa3270d13499991200c9074a837eff07
Formbook
e73a75a27e10ebb5efaa129b0d8163ea8e2d1ba544d297ba7259dcf6019b4ca3
Formbook
+ 415 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:oski family:stormkitty infostealer spyware stealer
Link:
https://tria.ge/reports/210724-rjha6agqb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Oski
StormKitty
StormKitty Payload
Malware Config
C2 Extraction:
web24host.com/a/a/www/
Unpacked files
SH256 hash:
e23244d8c735eda8095d79051f50fc10c4a06e010f598215b0ece047038fd8e8
MD5 hash:
e12b87ae5d7a03f95beeb3f3a0b6fd98
SHA1 hash:
89f02092649e0dd648e1c8581de81abe94896bc7
Link:
https://www.unpac.me/results/5c2753f3-ea6f-43e7-9f09-02cba36c3796/
SH256 hash:
ede724a90589cc98f1f1168dff6e882953876e46f98e4dcfb3c98725e10b1710
MD5 hash:
28a83547eb1383e80ea6af5e0120184d
SHA1 hash:
d06ff50d0e8237730307502dc4b27d6fe77f6e38
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/5c2753f3-ea6f-43e7-9f09-02cba36c3796/
SH256 hash:
d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693
MD5 hash:
e4086615e3011d916a50689cef433c77
SHA1 hash:
24c38d07046c2781f01d98ae3d7b1d9a80ea69e0
Link:
https://www.unpac.me/results/5c2753f3-ea6f-43e7-9f09-02cba36c3796/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173814/

Comments