MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566
SHA3-384 hash: 455e6075831ce2476722366ab7a878d2646f3c54aedd47bbf0214a6eaf612565018309771a21f31cb568415021a6015f
SHA1 hash: a545b6bc8ab5afd12feb22686af50f4075fb61cd
MD5 hash: 2a59d2396654692dc87a81df7554b608
humanhash: mobile-fix-helium-california
File name:2a59d2396654692dc87a81df7554b608
Download: download sample
Signature Formbook
Create hunting rule
File size:443'392 bytes
First seen:2021-09-17 21:08:24 UTC
Last seen:2021-09-17 21:49:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dcf2f9fcff3367bb9fab051bdc1c6f91 (2 x Loki, 1 x RemcosRAT, 1 x Formbook)
ssdeep 6144:1+j7ADL5mgPkQNac4hRyu+QO+IjNeiKFoESrDxBDs/t8zJJqxiu:4g5T47O+iN7KFoEMDxBol0Jqx
Threatray 9'535 similar samples on MalwareBazaar
TLSH T14794AE127BC8D870E89241B97004E7EA05797C76492BCB5B77C72B4F28707EA9626F13
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Additional Order Qty 197.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-14 08:43:55 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/c05b128c-cdca-44f0-b609-6c9e263b48a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188847/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.13695.11750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f648b21a-5bff-45b0-9a04-3316698542c1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853075
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485504 Sample: EpeQoT8vP8 Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 30 www.asteroid.finance 2->30 32 www.naughty0milf.today 2->32 34 parkingpage.namecheap.com 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 4 other signatures 2->44 9 EpeQoT8vP8.exe 1 2->9         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 9->52 54 Tries to detect virtualization through RDTSC time measurements 9->54 12 EpeQoT8vP8.exe 9->12         started        15 conhost.exe 9->15         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Sample uses process hollowing technique 12->60 62 Queues an APC in another process (thread injection) 12->62 17 explorer.exe 12->17 injected process8 dnsIp9 24 www.starlangue.com 77.222.61.114, 49769, 80 SWEB-ASRU Russian Federation 17->24 26 www.dollyvee.com 91.195.240.117, 49791, 80 SEDO-ASDE Germany 17->26 28 16 other IPs or domains 17->28 36 System process connects to network (likely due to code injection or exploit) 17->36 21 control.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 16:11:15 UTC
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=atuyveamunq3ndv47owwiu65yytnspek7mjzc3ay3uhjmsayovta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
23cc105fad71d71dced93e63fdbab55354b4dc9700fb0de855acedaf5723ed9c
Formbook
3643c16e7017696ca2809399d3edbf2f7f7298e4ef3246951fac256e86176716
Formbook
39d6d6751f8690fc26a41d18d14f076fce5cdffeceecdd1738d731e4ce7ddda5
Formbook
4311e97e616734f94d1aa4d38f37679749ae84513d132aee134fbc364d25b6ec
Formbook
4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
b8ae452aae57b904e1058a00c0a22dc8c9fa86e5b042d7fe5c812f724b7531a6
Formbook
b9c2ee51c09cff84cc488657064074f9c50384b8e84e3a90a00f0510a27b4cdf
Formbook
ebe1f420ea3fcef5b426cf6458d23984e12c4ceb5983571699f60aaa963b159a
Formbook
f547d8d44d91b4d09f1323857e573c31a8cb0fb1ed949cc0f8c90f6ea807b23c
Formbook
+ 9'525 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6a4 loader rat
Link:
https://tria.ge/reports/210917-zze99sbdaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.helpmovingandstorage.com/b6a4/
Unpacked files
SH256 hash:
f9c0e645ceaf425d5da3ecbb6bbc235b8bec4f8d66b67d8cff2adcc5648d0b98
MD5 hash:
691d8f061dddda87e5c0402d5fa98f66
SHA1 hash:
66f28c50888488d0db0fc678b6457fcacb807602
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e0a243b5-2143-4cd3-bcff-8f3d459952f1/
Parent samples :
4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566
SH256 hash:
04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566
MD5 hash:
2a59d2396654692dc87a81df7554b608
SHA1 hash:
a545b6bc8ab5afd12feb22686af50f4075fb61cd
Link:
https://www.unpac.me/results/e0a243b5-2143-4cd3-bcff-8f3d459952f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1628619/
  
URLhaus
https://urlhaus.abuse.ch/url/1628624/
Cape
Cape
https://www.capesandbox.com/analysis/188847/

Comments


Avatar
zbet commented on 2021-09-17 21:08:25 UTC

url : hxxp://198.12.107.117/word/vbc.exe