MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 041760471bc27a43bf84ff6bee7edce055983316c01cd984ade1872239c1a35c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 041760471bc27a43bf84ff6bee7edce055983316c01cd984ade1872239c1a35c
SHA3-384 hash: 676f34e31b90c63eb6448a3620e1f42614eabafd69731efe659ed626af753f83fc96a05901bc1a9da9289851ca7416fb
SHA1 hash: 62cd420154c2ce51948d69fec1f501774711ee15
MD5 hash: da769f7382703bf9887144ab8d4cb0bd
humanhash: steak-alaska-jersey-video
File name:UAE CUSTOMS NEW TARIFFS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:992'256 bytes
First seen:2022-03-22 09:13:42 UTC
Last seen:2022-03-22 12:33:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:lToh/+nYHZz4xnN7bx4AlTgKA0O/ar6CIZL1fKZjWoqW2UK1f:lTohGyRKD6KkXL+nK1
Threatray 14'306 similar samples on MalwareBazaar
TLSH T16625235836754773CE6CABB2AC50524812B65A3D2853E31CCE93D2A6057F329FB8178F
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/254058/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.27266.13435.3179.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/6239935f0cd58dbd92d56377/reports/ba808e49-0c1c-4837-9604-411bd818f4a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6646a2d7-f632-48ca-9d6c-a2f90f605d71
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961512
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 593993 Sample: UAE CUSTOMS NEW TARIFFS.exe Startdate: 22/03/2022 Architecture: WINDOWS Score: 100 29 www.dolphincomputergsk.com 2->29 31 dolphincomputergsk.com 2->31 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 39 10 other signatures 2->39 11 UAE CUSTOMS NEW TARIFFS.exe 3 2->11         started        signatures3 process4 file5 27 C:\Users\...\UAE CUSTOMS NEW TARIFFS.exe.log, ASCII 11->27 dropped 49 Injects a PE file into a foreign processes 11->49 15 UAE CUSTOMS NEW TARIFFS.exe 11->15         started        signatures6 process7 signatures8 51 Modifies the context of a thread in another process (thread injection) 15->51 53 Maps a DLL or memory area into another process 15->53 55 Sample uses process hollowing technique 15->55 57 Queues an APC in another process (thread injection) 15->57 18 explorer.exe 15->18 injected process9 process10 20 chkdsk.exe 18->20         started        signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/041760471bc27a43bf84ff6bee7edce055983316c01cd984ade1872239c1a35c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 07:36:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqlwary3yj5ehp4e75v647w44bkzqmywyaontbfn4gdseoobunoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
374874898c5386561d60c3fae0482d1caee783f1096dda6742b1c073175a0a14
Formbook
3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489
Formbook
4892e9b8ed5aa57661e3a1fd4bc2d48570cd416af12ab88bbade473ede45c1ed
Formbook
6fb859be1f19ec66d032758b38eade770aedc4f60b2341284ff407647980852b
Formbook
b36891ab4a7fa6be1680a65614dd5551a3fa8a89052c381a954601eedd82e62c
Formbook
c68894e6a7551cdf34c082a0ba372f9544d07aee0f2d09dfb7fed3e664e91aaf
Formbook
c86f3a2110ed2a8498cf30d4ab88cf9ea18edc612835fe2b369e7596dafb802e
Formbook
d89f28603b8948dd7217e42366328a6e9bd05d59e5de67a4c39f207f8a520d43
Formbook
df1510f64189b49ffeb4630c74af81a86888114102b493f52b5ad1c1cb58d121
Formbook
+ 14'296 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ubqk loader rat suricata
Link:
https://tria.ge/reports/220322-k7b59abbgn/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
d54e92129fe9926d2e995df71ecca40ba78e783dd22ba55d0f442a010b2f93da
MD5 hash:
5661ec0746d93b6ee0a2693f2e8a197e
SHA1 hash:
70cc5757db8ce3bcea5f830ca5b6e7ff72e62c31
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/522e516b-ad16-4749-9882-0fa142e922da/
Parent samples :
0e39ef64479fdca265d7a41809af208aa2720d8d3895187b5f8f7ea5370018bc
7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0
041760471bc27a43bf84ff6bee7edce055983316c01cd984ade1872239c1a35c
b10824c56d2ef6aa6af1474f898e5578bb6f6155eb4f9cd63ef3e7fd36c2a827
SH256 hash:
c2243447cb3e81bbeb759eb15275005884f1889182add62a24335c73e592855f
MD5 hash:
3d9fc65b313b8671976baaab9bf16bd1
SHA1 hash:
88e45f32c018431248d2701d35f0b00f419de25f
Link:
https://www.unpac.me/results/522e516b-ad16-4749-9882-0fa142e922da/
SH256 hash:
301642ff8826ac264d1a78b36237b5ece99cb31a2d9cecd04aafb3449679d94b
MD5 hash:
f08268ddb5c1236b947fe2864860fc98
SHA1 hash:
772410110fee00fc53939b94c2f64069fa824cf4
Link:
https://www.unpac.me/results/522e516b-ad16-4749-9882-0fa142e922da/
SH256 hash:
cc0917c286e50c1c12ad1f595b484705e3570601f5c0579f478d79ad24315780
MD5 hash:
d73ef4a1967d141e961549a773a08887
SHA1 hash:
69c4cfd8fd11d61a4572d09d6b22fedb62af1195
Link:
https://www.unpac.me/results/522e516b-ad16-4749-9882-0fa142e922da/
SH256 hash:
041760471bc27a43bf84ff6bee7edce055983316c01cd984ade1872239c1a35c
MD5 hash:
da769f7382703bf9887144ab8d4cb0bd
SHA1 hash:
62cd420154c2ce51948d69fec1f501774711ee15
Link:
https://www.unpac.me/results/522e516b-ad16-4749-9882-0fa142e922da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/041760471bc27a43bf84ff6bee7edce055983316c01cd984ade1872239c1a35c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/254058/

Comments