MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224
SHA3-384 hash: 4044ef64fae9941a4d72042bdab7649423665fdfccf08cbb5a1644b26e3b0bea3bea90017ac1183ba531da8319db103d
SHA1 hash: 7e40ca578adc6790bee70f4a705c03a60b2e4ff6
MD5 hash: af02d7120e0060d42064f98a12bad0bb
humanhash: don-hawaii-winner-potato
File name:af02d7120e0060d42064f98a12bad0bb.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:449'042 bytes
First seen:2020-10-08 05:18:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 12288:EanHdiWLHmRzDw5u0Ej1wpbX+qDM1DXZtfZY:vJGRzDWKGpbX/sXZta
Threatray 2'554 similar samples on MalwareBazaar
TLSH 61A423552340F86FD8978A720F326A3ADFAD5E133566DF079B413E393476182E14E361
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69063/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484912
Signature
Contain functionality to detect virtual machines
Hijacks the control flow in another process
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294896 Sample: y20dxdW3GQ.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 11 y20dxdW3GQ.exe 56 2->11         started        process3 file4 32 C:\Users\user\AppData\Local\...\Courtesan.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\...\cpConnectionC.dll, PE32 11->34 dropped 36 C:\Users\...\MicrosoftVisualStudioWebUI.dll, PE32 11->36 dropped 38 12 other files (none is malicious) 11->38 dropped 70 Contain functionality to detect virtual machines 11->70 15 rundll32.exe 11->15         started        signatures5 process6 signatures7 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->72 74 Hijacks the control flow in another process 15->74 76 Maps a DLL or memory area into another process 15->76 18 cmd.exe 15->18         started        process8 signatures9 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->54 56 Modifies the context of a thread in another process (thread injection) 18->56 58 Maps a DLL or memory area into another process 18->58 60 3 other signatures 18->60 21 explorer.exe 18->21 injected process10 dnsIp11 40 www.0755dazhe.com 23.235.182.106, 49735, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS United States 21->40 42 balancer.wixdns.net 35.242.251.130, 49736, 80 GOOGLEUS United States 21->42 44 3 other IPs or domains 21->44 62 System process connects to network (likely due to code injection or exploit) 21->62 25 raserver.exe 21->25         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66 68 Tries to detect virtualization through RDTSC time measurements 25->68 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 00:05:14 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pmimnhm7poh5cf4umvawix2gxrezh7lgclzseuphujnfthkyisa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
086616679314c8f75f9fa03cc722a56008166c8e9c8a63a653ed45d35628fdf4
Formbook
0e661b488a5571afb39ddf31bda089f7c032ed0a077501c3b7c8a31a0a6442d6
Formbook
3a10c525b2f0a94e7e9facfa4685490e9a46d0d6a62be53f570fa845cd680c56
Formbook
414578aa9e1ab74c43ae636f64758a5a2dd59ab81619aa054de1fb6c9140f2e6
Formbook
6e2a6ffd8aa7c33dca7aa63dd89a4b30b4bcb78d4a31db6d03d1f2434cf94e23
Formbook
72ec3dcd3d7a197c45c66605330968f86044d6a2ec37bf843e33b7f4668781f9
Formbook
a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
Formbook
cfd29866a9e618985b15c779e0ac0ad8e09a9e997774c0d2fe18f00f8110a24a
Formbook
db4aad17cb58975d3c42dc37b92e7c8bfdce82da52c5eb6a5e87709cf906a684
Formbook
f69e7749b6798b4c4f258eebbedc77992536cc24bef9d1bf3d68315ad16abcf0
Formbook
+ 2'544 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201008-v22hb2xa96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.strivefalcon.com/c233/
Unpacked files
SH256 hash:
ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224
MD5 hash:
af02d7120e0060d42064f98a12bad0bb
SHA1 hash:
7e40ca578adc6790bee70f4a705c03a60b2e4ff6
Link:
https://www.unpac.me/results/dc208139-18f0-4ea0-a5e8-f215ad78cbfe/
SH256 hash:
d54df37db9869083c067008eb6b228462b02b4ccd3df3ce7aaf4a01b22ec5119
MD5 hash:
2e62bf7fd82f435975f2acd0a332afbe
SHA1 hash:
dbd59d54df9a6468a936b2831d4054e9b8502b63
Link:
https://www.unpac.me/results/dc208139-18f0-4ea0-a5e8-f215ad78cbfe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/445907/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/453100/
Cape
Cape
https://www.capesandbox.com/analysis/69063/
  
URLhaus
https://urlhaus.abuse.ch/url/668603/

Comments