MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 083652d241877c1d5b89477de317ceea0cf34bb4f790c59e597fd5ba33184aff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 083652d241877c1d5b89477de317ceea0cf34bb4f790c59e597fd5ba33184aff
SHA3-384 hash: a5ed233899919631b8586ec65e64330949da1653514aac61c758ae253020949cb5babb4e2be1ecc10d01245e913bcb0f
SHA1 hash: b97289f244bba51a8c05e1380b2ff4e0c7772b66
MD5 hash: 97a942b9a247029596f897a37337d6ea
humanhash: bluebird-east-eighteen-sweet
File name:ENQUIRYSMRT119862021-ERW PIPES.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:665'600 bytes
First seen:2021-09-07 07:59:18 UTC
Last seen:2021-09-08 12:11:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:bcFJLgGvFi+748E7MTqlr+om0n2zdTfUKCvTVZcdMYVmhEkdiMZs:s4imMT8r+V0n2zxfUbvTIdJchExC
Threatray 9'213 similar samples on MalwareBazaar
TLSH T121E40B3E58FE23279176C7D5CBE48823F6C098AF3233A96467D747664316A4674C322E
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ENQUIRYSMRT119862021-ERW PIPES.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-07 08:00:23 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/8e26c3e9-0f59-49d2-8058-4120511d48ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185945/
Detection(s):
Sanesecurity.Rogue.0hr.20210907-1204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e1903f9-9a7c-499f-ab73-1413866bc285
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846359
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478787 Sample: ENQUIRYSMRT119862021-ERW PI... Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 35 www.maplewoof.com 2->35 37 maplewoof.com 2->37 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 10 other signatures 2->49 11 ENQUIRYSMRT119862021-ERW PIPES.pdf.exe 3 2->11         started        signatures3 process4 signatures5 59 Writes to foreign memory regions 11->59 61 Allocates memory in foreign processes 11->61 63 Injects a PE file into a foreign processes 11->63 14 RegSvcs.exe 11->14         started        process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 2 other signatures 14->71 17 explorer.exe 14->17 injected process8 dnsIp9 29 freedomroaddispensary.com 185.246.46.93, 49724, 80 O2SWITCHFR France 17->29 31 www.annaquatics.tech 109.68.33.64, 49715, 49716, 80 GD-EMEA-DC-LD5GB United Kingdom 17->31 33 11 other IPs or domains 17->33 41 System process connects to network (likely due to code injection or exploit) 17->41 21 rundll32.exe 12 17->21         started        signatures10 process11 dnsIp12 39 www.annaquatics.tech 21->39 51 System process connects to network (likely due to code injection or exploit) 21->51 53 Modifies the context of a thread in another process (thread injection) 21->53 55 Maps a DLL or memory area into another process 21->55 57 Tries to detect virtualization through RDTSC time measurements 21->57 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/083652d241877c1d5b89477de317ceea0cf34bb4f790c59e597fd5ba33184aff/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 08:00:20 UTC
AV detection:
10 of 43 (23.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ba3ffusbq56b2w4ji566gf6o5igpgs5u66imlhszp7k3umyyjl7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2642fecff2db22c3d6eaa889d838d52fbd765ad4a9a857aacb2e3ad6441f91c9
Formbook
2da03a9564c290809929171b65ee75ec8c35b7c4a2147f2ba6e24072c1a520e6
Formbook
35010478a1deb14596e40b68bff541fdf1567b67116de6c8b3146f7352159420
Formbook
3ab2ff5459a46d33405f2c4a2853dbd9c21b09fd8f7abf0bb9683736f372776b
Formbook
55f20748f621bf247877b71a3682640e5ec013d51c52363b5c51cca50b44c1bf
Formbook
5825aeeb434941442b66d2184494dddd1c500545e32e4a19ceaaba0cbbd8adc0
Formbook
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Formbook
6fac6e1f7f8cdd8cec52b2dd7a23fd434084c7d12ef0f04deaa52794d3612ef7
Formbook
b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
Formbook
caee115a3bb2028fd81681b1fef997f87893c603dd42ca0932896029424ed1e7
Formbook
+ 9'203 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ntem loader rat suricata
Link:
https://tria.ge/reports/210907-jv3xrsfdhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.ransoneransone.com/ntem/
Unpacked files
SH256 hash:
52fc841a6dd0da6ee5577dfeed1e5824ea6447bb4e27511ea0b679490e36f54a
MD5 hash:
a19edb18591f07ec54557fc82c778ed5
SHA1 hash:
eb635efb80e7c40a14cf7350d4e136690ab71d86
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2fa55cf4-fe55-4000-8232-fea272d3ce02/
Parent samples :
5825aeeb434941442b66d2184494dddd1c500545e32e4a19ceaaba0cbbd8adc0
083652d241877c1d5b89477de317ceea0cf34bb4f790c59e597fd5ba33184aff
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/2fa55cf4-fe55-4000-8232-fea272d3ce02/
SH256 hash:
0d88814cbef4d5453830e3cd0d6562a0d7c09041dee76388b32ef53f85577924
MD5 hash:
fe1677fc213f2921fa1254e6e0ef2302
SHA1 hash:
c9e1ec70591c1541d28efb57310a7d97a69c4dde
Link:
https://www.unpac.me/results/2fa55cf4-fe55-4000-8232-fea272d3ce02/
SH256 hash:
083652d241877c1d5b89477de317ceea0cf34bb4f790c59e597fd5ba33184aff
MD5 hash:
97a942b9a247029596f897a37337d6ea
SHA1 hash:
b97289f244bba51a8c05e1380b2ff4e0c7772b66
Link:
https://www.unpac.me/results/2fa55cf4-fe55-4000-8232-fea272d3ce02/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/083652d24187/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/083652d241877c1d5b89477de317ceea0cf34bb4f790c59e597fd5ba33184aff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 083652d241877c1d5b89477de317ceea0cf34bb4f790c59e597fd5ba33184aff

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/185945/

Comments