MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
SHA3-384 hash: fad75ca6f0f0cf6321e58d60f4bafb57a46dc0094ee9c31d795217ab091a8259a6f140fb96e8775b72c44a46275864d0
SHA1 hash: 62764e915771688218d9e93d139a85f8d983e2b8
MD5 hash: a8417cfd71637c7371986737cff269cf
humanhash: south-quebec-sixteen-single
File name:worked.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:794'624 bytes
First seen:2021-01-21 15:37:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:X6K1gYUGwBjk5ThBxvAl+rKr002V0i3qUqPVI:X6ogYUnBw5Th/wr20i6B
Threatray 3'608 similar samples on MalwareBazaar
TLSH D1F47CAC325075DFC967C872DAA81C24EB60B47B570BD203A06715ADEE4D99BDF240F2
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
worked.exe
Verdict:
Malicious activity
Analysis date:
2021-01-21 15:40:43 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/cd6746a4-d584-4580-a2c7-7d6083e091dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114571/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42809.9627.8782.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/587424
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342738 Sample: worked.exe Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 43 www.eshelwoodwork.com 2->43 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 10 other signatures 2->57 11 worked.exe 7 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\kZrPLNaWRaF.exe, PE32 11->35 dropped 37 C:\Users\...\kZrPLNaWRaF.exe:Zone.Identifier, ASCII 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmp54FD.tmp, XML 11->39 dropped 41 C:\Users\user\AppData\...\worked.exe.log, ASCII 11->41 dropped 61 Detected unpacking (changes PE section rights) 11->61 63 Detected unpacking (overwrites its own PE header) 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 15 worked.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 worked.exe 11->20         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        process9 dnsIp10 45 www.brandonandrana.com 156.254.243.114, 49748, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 22->45 47 www.xaozal.com 64.98.145.30, 49743, 80 TUCOWS-3CA Canada 22->47 49 5 other IPs or domains 22->49 59 System process connects to network (likely due to code injection or exploit) 22->59 28 NETSTAT.EXE 22->28         started        signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 28->67 69 Maps a DLL or memory area into another process 28->69 71 Tries to detect virtualization through RDTSC time measurements 28->71 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664/
Threat name:
ByteCode-MSIL.Packed.Confuser
Create hunting rule
Status:
Malicious
First seen:
2021-01-21 15:36:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 28 (64.29%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wag2glmjscxhnyejyvb7ghqcutzi7dosxuxu3u3aypn43whkzsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
Formbook
18030a9ea4cf60ea858db8b302cdd94962069f232be6212787ad1ddca0bbbe54
Formbook
458bd08f0c32719adc9d2858721b609b136ff0e21c2f3ac3f4be4f97e4084b7a
Formbook
7139fbd600738d2f456c7f11ae105e45ab0bb6e14a473ae0e68391b8125da393
Formbook
7a47a855968f4e82d6cc2d35186d2d56468701bc5587cc87f82a847bd2c45ae5
Formbook
7ea2c8d69111747b33a25c445e7f3fabd30f9b1d74d45383f87e6d6451248a53
Formbook
a026f6e6988f126a35bb044b7215fa5fb20a41a3b3bac722bfb7f53e670cc0f4
Formbook
a8f4da2076bc00264891bc7872e70f245f47807c268fb921fc135b711c817b34
Formbook
c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
Formbook
f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443
Formbook
+ 3'598 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210121-lg31qstfsx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.maalkhairaatwosu.com/zn7/
Unpacked files
SH256 hash:
d00c5e5ce8053c66c83643e8a85466920e4d8e24bf4602f08038ebbe736ad604
MD5 hash:
e63dd949b7d06a836c5007b2997fc731
SHA1 hash:
561aff3ca4f8c56cabd494155047953743ca0e24
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b7ae6e11-962e-467b-9655-cd8d1e7ee90b/
Parent samples :
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
9065643b6a648d1cb47f8364f79e2c159af0e152b0b61c5a4819cf50e9d35ca0
ee2156519aef9988f7b0e5a2932bf378d3605f66128fcadf7023e6ba24b4557f
0b95efedfa44c08b29463a372e6717efc4874333af63da3cfd003bc86f4ce366
SH256 hash:
0f59da013c239e40b645d5aa7cfbb3ef8778d8586e6a99880e789cda83b94043
MD5 hash:
3b859c8e03bd1f151dfd60e9699d31f6
SHA1 hash:
da876b86c5c4ec590b67c9b265ca1ce530350df9
Link:
https://www.unpac.me/results/b7ae6e11-962e-467b-9655-cd8d1e7ee90b/
SH256 hash:
4d12c7fe92daf016f3508ea3191c24871406d54e8fa2b37563283b22f22a9aa5
MD5 hash:
be4306b1cdcd8868155e17f50875f923
SHA1 hash:
39b2002755c1a9576beb546ed6009de5ca37a2e6
Link:
https://www.unpac.me/results/b7ae6e11-962e-467b-9655-cd8d1e7ee90b/
SH256 hash:
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
MD5 hash:
a8417cfd71637c7371986737cff269cf
SHA1 hash:
62764e915771688218d9e93d139a85f8d983e2b8
Link:
https://www.unpac.me/results/b7ae6e11-962e-467b-9655-cd8d1e7ee90b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/973360/
Cape
Cape
https://www.capesandbox.com/analysis/114571/

Comments