MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00540181c6bbda7cb051c8cf32ab6767bd8c50d0f5de65e7939485849aa69957. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00540181c6bbda7cb051c8cf32ab6767bd8c50d0f5de65e7939485849aa69957
SHA3-384 hash: df541ace757c5a0a45c253a7257e342ca08d9ddce672a6a1341229cbfb10d1e8aa79eec97e556e1fcaa910f0608c8031
SHA1 hash: a6c5fdc45568b74602e42926b94ac334637a1eb1
MD5 hash: db24615ec3585578664b5daf0a9404c4
humanhash: avocado-magazine-blue-white
File name:SecuriteInfo.com.Win32.Trojan.Inject.Auto.29141.32007
Download: download sample
Signature Formbook
Create hunting rule
File size:62'048 bytes
First seen:2021-03-09 10:49:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:H2BGXTr6MgNS9lZNpJgNPgN8SFb0MQhO3YG:TDgNS9lZNpJgNPgN8SFb0MQhO3YG
Threatray 4'174 similar samples on MalwareBazaar
TLSH E153345CE7860F32F82E76F2311336931995D6D2BF1292B8F19EB01D99D7A0A244DEC4
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b9a2ff579d96535b739483b729aa2fbd7f9905b9c11163a1e331a6b2a8ad0daf
Verdict:
Malicious activity
Analysis date:
2021-03-09 06:17:00 UTC
Tags:
trojan opendir exploit CVE-2017-11882 loader formbook stealer
Link:
https://app.any.run/tasks/ac198d2a-d1fd-41e9-93bd-70f331a069bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123136/
Detection(s):
SecuriteInfo.com.Win32.Trojan.Inject.Auto.29141.32007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a UDP request
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Blocking the User Account Control
Adding exclusions to Windows Defender
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/632622
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365286 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 09/03/2021 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 5 other signatures 2->36 7 SecuriteInfo.com.Win32.Trojan.Inject.Auto.29141.exe 17 8 2->7         started        process3 dnsIp4 26 liverpoolofcfanclub.com 104.21.31.39, 49705, 80 CLOUDFLARENETUS United States 7->26 38 Adds a directory exclusion to Windows Defender 7->38 40 Tries to detect virtualization through RDTSC time measurements 7->40 42 Hides threads from debuggers 7->42 44 Injects a PE file into a foreign processes 7->44 11 cmd.exe 1 7->11         started        13 WerFault.exe 23 9 7->13         started        16 powershell.exe 26 7->16         started        18 SecuriteInfo.com.Win32.Trojan.Inject.Auto.29141.exe 7->18         started        signatures5 process6 dnsIp7 20 conhost.exe 11->20         started        22 timeout.exe 1 11->22         started        28 192.168.2.1 unknown unknown 13->28 24 conhost.exe 16->24         started        process8
Gathering data
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 08:14:14 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
Formbook
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
Formbook
12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
Formbook
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
Formbook
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
Formbook
92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a
Formbook
a6f46c55982462a48a9fa43feb02b514df87a97b06a1ee073c57ae132cc1bec7
Formbook
af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991
Formbook
c8aaa220adc918c9972a9c588db765290bf51553bed7da48c604d188136d3073
Formbook
e091222f766082c33c0606405115206cb2d915929dfe2ac899b1945d6442c512
Formbook
+ 4'164 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader evasion loader rat trojan
Link:
https://tria.ge/reports/210309-fern4bbpda/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Windows security modification
Xloader Payload
UAC bypass
Windows security bypass
Xloader
Malware Config
C2 Extraction:
http://www.theaniyahgroup.com/rugs/
Unpacked files
SH256 hash:
00540181c6bbda7cb051c8cf32ab6767bd8c50d0f5de65e7939485849aa69957
MD5 hash:
db24615ec3585578664b5daf0a9404c4
SHA1 hash:
a6c5fdc45568b74602e42926b94ac334637a1eb1
Link:
https://www.unpac.me/results/c78271b0-ee55-4953-87ab-4c0bee147486/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/00540181c6bbda7cb051c8cf32ab6767bd8c50d0f5de65e7939485849aa69957

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 00540181c6bbda7cb051c8cf32ab6767bd8c50d0f5de65e7939485849aa69957

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/123136/
  
URLhaus
https://urlhaus.abuse.ch/url/1056287/
  
Delivery method
Distributed via web download

Comments