MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 084dbb4d5e285e79982c03d187a233b24f6fe7a4ac4af9821aeb8f4c475288df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 084dbb4d5e285e79982c03d187a233b24f6fe7a4ac4af9821aeb8f4c475288df
SHA3-384 hash: fb11aaaee2562add1728922043208f81a8c12ad955d6d76e025b59a37db1e83a9023655993d8922923df1adef361524f
SHA1 hash: a1e50a973500f3d1337731e0f729a5fc47886f0d
MD5 hash: 37786b05e34cfd33e84db10cf29788e4
humanhash: twelve-seven-zebra-kentucky
File name:SecuriteInfo.com.W32.AIDetectNet.01.19229.1650
Download: download sample
Signature Formbook
Create hunting rule
File size:396'312 bytes
First seen:2022-06-27 13:50:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:lDdayQE6m5XgJv60AEIf2MF7W7yWyENIaxIWGxfY+Isi0M:RIEpY60AEIf2MdoIpWGxfYz
TLSH T1A1849E6BB78C9B5DC6558A78B5F3823013A2DF532232DA057CC4FEAD0DB135DAA442C9
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6ccccc9cc4d8e8f4 (41 x Formbook, 34 x AgentTesla, 3 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283593/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/62b9b6091fcdba4e1a6015b1/reports/8b99ce11-9c2e-4b3b-9573-fb4b66806607/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8ecf84f-08a7-4668-a960-332aeb572477
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1020501
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 652998 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 27/06/2022 Architecture: WINDOWS Score: 100 26 xonmn08.shopicool.com 2->26 28 www.windchimessr.com 2->28 30 2 other IPs or domains 2->30 32 Snort IDS alert for network traffic 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 7 other signatures 2->38 10 SecuriteInfo.com.W32.AIDetectNet.01.19229.exe 1 2->10         started        signatures3 process4 file5 24 SecuriteInfo.com.W...et.01.19229.exe.log, ASCII 10->24 dropped 46 Writes to foreign memory regions 10->46 48 Allocates memory in foreign processes 10->48 50 Injects a PE file into a foreign processes 10->50 52 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->52 14 cvtres.exe 10->14         started        signatures6 process7 signatures8 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 2 other signatures 14->60 17 explorer.exe 14->17 injected process9 process10 19 explorer.exe 17->19         started        signatures11 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 22 explorer.exe 1 156 19->22         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/084dbb4d5e285e79982c03d187a233b24f6fe7a4ac4af9821aeb8f4c475288df/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 08:22:03 UTC
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bbg3wtk6fbphtgbmapiypirtwjhw7z5evrfptaq25ohuyr2srdpq._file
Verdict:
malicious
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:nanocore family:xloader campaign:r8f2 keylogger loader rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220627-q5s9msdee6/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Formbook
NanoCore
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
seabillion.duckdns.org:1212
185.140.53.6:1212
Unpacked files
SH256 hash:
ca018c21a3e848b96d807bc5d7b465d147ca5005d83743ffc3fe79d840e82c16
MD5 hash:
17141e0156ed9702c4cb8f4807680053
SHA1 hash:
59c5365610742c5fb3b9cf06a1eab1f6143a241e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/a097fd77-b2f2-4de2-b8b6-b445d992e299/
Parent samples :
d4aba71c5e7292eeea13722a41fc53166e50a6d7cdf6a1a28b94ca8c1cfc2245
60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3
0fe570b36aa76e57a5f29405e9ffcdeacdb0bbb1e5baff240425049be6bb96a0
084dbb4d5e285e79982c03d187a233b24f6fe7a4ac4af9821aeb8f4c475288df
SH256 hash:
f912d01a6371895d503caf2e2fc1d8a15779d0170079e1189ce499ad095c44cd
MD5 hash:
ebe9dba3b774e4a2bfab572e9c56326c
SHA1 hash:
7ae39ff97c551202d50b549dfb973aa513b7a67c
Link:
https://www.unpac.me/results/a097fd77-b2f2-4de2-b8b6-b445d992e299/
SH256 hash:
084dbb4d5e285e79982c03d187a233b24f6fe7a4ac4af9821aeb8f4c475288df
MD5 hash:
37786b05e34cfd33e84db10cf29788e4
SHA1 hash:
a1e50a973500f3d1337731e0f729a5fc47886f0d
Link:
https://www.unpac.me/results/a097fd77-b2f2-4de2-b8b6-b445d992e299/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/084dbb4d5e285e79982c03d187a233b24f6fe7a4ac4af9821aeb8f4c475288df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283593/

Comments