MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 096bfb362ac98121211651cf9c8343ae3d38636334e626d89e7212660507ec7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 096bfb362ac98121211651cf9c8343ae3d38636334e626d89e7212660507ec7a
SHA3-384 hash: 0a0e4dfa114aaaee2acdfbd67c2babfbe32f4b6898d02e2138cd43cc20eca8839fa6db30b7a9db141ddf110aacd5a3c8
SHA1 hash: b821e831f710cc94e8d3bd38d27e608acc93f2e0
MD5 hash: 779dbb223377fa754be8cc64b2ed61ed
humanhash: vermont-hawaii-cold-aspen
File name:SUPPLY OF YOUR PRODUCTS_PDF_________________________________....exe
Download: download sample
Signature Formbook
Create hunting rule
File size:942'080 bytes
First seen:2022-03-08 12:51:42 UTC
Last seen:2022-03-08 14:42:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:hNLQTVuEYgBeD8QZ1xoIwaxkCbqfSX42SSf:vnD1vxo3GrbB
Threatray 14'668 similar samples on MalwareBazaar
TLSH T17A15BE14BA66303FE16B8E764BC0AC2349D7B5760206E2AF6C5EC6484FDA67DCD81C71
Reporter pr0xylife
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248262/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.28436.9901.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/622799d8dfdfa8501c7b6f94/reports/d986c3b5-5378-419f-8c07-1cab5e08e429/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3074356-a0cb-4512-84d7-5bfa90edb8a7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952541
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585020 Sample: SUPPLY OF YOUR PRODUCTS_PDF... Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 15 other signatures 2->48 10 SUPPLY OF YOUR PRODUCTS_PDF_________________________________....exe 7 2->10         started        process3 file4 34 C:\Users\user\AppData\...\TQhxpJeDJICO.exe, PE32 10->34 dropped 36 C:\Users\...\TQhxpJeDJICO.exe:Zone.Identifier, ASCII 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmpFC01.tmp, XML 10->38 dropped 40 SUPPLY OF YOUR PRO...________....exe.log, ASCII 10->40 dropped 50 Adds a directory exclusion to Windows Defender 10->50 52 Injects a PE file into a foreign processes 10->52 14 SUPPLY OF YOUR PRODUCTS_PDF_________________________________....exe 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 help.exe 21->27         started        signatures10 54 Self deletion via cmd delete 27->54 56 Modifies the context of a thread in another process (thread injection) 27->56 58 Maps a DLL or memory area into another process 27->58 60 Tries to detect virtualization through RDTSC time measurements 27->60 30 cmd.exe 1 27->30         started        process11 process12 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/096bfb362ac98121211651cf9c8343ae3d38636334e626d89e7212660507ec7a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 12:52:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfv7wnrkzgasciiwkhhzza2dvy6tqy3dgttcnwe6oijgmbih5r5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
Formbook
2b8c162f4a3747097fcda26d4301f809b515a77f1644bfdb636b39fe263694ee
Formbook
31f44a55873cb84506a1213469e0c884eb7f8b4dea91197bedf8a892c1404654
Formbook
39586764971f496d274f3d453029954720962ed36672050b742aef8b4e68a78e
Formbook
510bc545d130a8a3ba0761398b897e7f0840a393d7cd12d98699525e0eb8bfff
Formbook
545d130d10ca2961ab5d1f3072049cea68154c9ed04d6b7fa408f7c81be10c2a
Formbook
6077a6a5a6270bd0cbd94bd424294d9c1afe129e72ac671db981245f4e294234
Formbook
afdf1b728a94beb99d17537a9caa1cad644b86725578ac3fb350cf30c9441e7b
Formbook
b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d
Formbook
d6b928a4292c14dee552691c4955bdff07d038470ec1419c88a4018fb06bd399
Formbook
+ 14'658 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gqav loader rat
Link:
https://tria.ge/reports/220308-p34rxsehc5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
884d3210194257dcef4ce045659d04b27db7eedcecd3899190ff669d1a77c904
MD5 hash:
59700ee892e8c17016080d0d87d6ae9c
SHA1 hash:
bd8deeaabd224b84e51f945e37ea015e37501141
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/34019184-6fed-41d2-a428-5d4bf2936905/
Parent samples :
7f704b4cfcfd4d98be0ec20f02a4e4a74bfb883d7bce167bd5da415e016d00fc
096bfb362ac98121211651cf9c8343ae3d38636334e626d89e7212660507ec7a
SH256 hash:
175285bfa8a73b3990f54994b8825c1f3396635bc344939cd8d9fc60b9569b46
MD5 hash:
f26eb90c6addfc99fa0c2e63896216d2
SHA1 hash:
77e01b96d8c211d4d24fc0a1aae91122caf5f668
Link:
https://www.unpac.me/results/34019184-6fed-41d2-a428-5d4bf2936905/
SH256 hash:
f8e7b0b4470844a7d6c956d34ae5cdfe70daf04d6fedad5ce6abe72cf3fb0302
MD5 hash:
d5cf7c0aef741f903324d2ea0d4ec25d
SHA1 hash:
35c1c6fb410d1570a0f6a9bb8991004a66ad0eed
Link:
https://www.unpac.me/results/34019184-6fed-41d2-a428-5d4bf2936905/
SH256 hash:
d22302b0ee45161a9dc507f6bb33a56466ad486457082d0ec66ecc84ee753095
MD5 hash:
be9d23c4dd2c26def1e108dc52c9fcd6
SHA1 hash:
2d693d62663e84248ec73fb42690c83fcde0e590
Link:
https://www.unpac.me/results/34019184-6fed-41d2-a428-5d4bf2936905/
SH256 hash:
096bfb362ac98121211651cf9c8343ae3d38636334e626d89e7212660507ec7a
MD5 hash:
779dbb223377fa754be8cc64b2ed61ed
SHA1 hash:
b821e831f710cc94e8d3bd38d27e608acc93f2e0
Link:
https://www.unpac.me/results/34019184-6fed-41d2-a428-5d4bf2936905/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/096bfb362ac9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/096bfb362ac98121211651cf9c8343ae3d38636334e626d89e7212660507ec7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248262/

Comments