MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5
SHA3-384 hash: f26332485c93aceaef816459e791d027106e16d871558f92e0f758c51f64795bf77f546a4a367d2977daedb925900b4f
SHA1 hash: d9f7c013ec38613f53d1cd7bc9bab4222d056b17
MD5 hash: f0bbbd62e7d944d946ad2c516a9d4bbe
humanhash: harry-double-eleven-echo
File name:HEQ211025001T-EXPP v4.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:693'760 bytes
First seen:2021-12-02 14:25:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:RpYcrq3cPv/1s77+H/zAP0U7WsH5lyAKp:RpYcrbn/1s77+L07RH5lWp
Threatray 10'170 similar samples on MalwareBazaar
TLSH T1F6E4F1503068C2D3E2BE0DB2685EE23521F83A9EE19A914F76C9B75E60F3752045E37D
File icon (PE):PE icon
dhash icon 8084a48cbc8ce4f8 (44 x Formbook, 20 x AveMariaRAT, 11 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HEQ211025001T-EXPP v4.exe
Verdict:
Malicious activity
Analysis date:
2021-12-02 15:14:55 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/24856eac-42f1-4eea-82f6-b4edc8aa4515

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210728/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a8d785707a51cfe28b5f38/reports/b25a0ff2-9c75-46d6-8c59-90990c384178/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4de68ce7-b083-4be0-a41b-59cd987c6e0b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900263
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532742 Sample: HEQ211025001T-EXPP#U00a0v4.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 28 www.nourishtothrive.online 2->28 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 10 HEQ211025001T-EXPP#U00a0v4.exe 3 2->10         started        signatures3 process4 file5 26 C:\...\HEQ211025001T-EXPP#U00a0v4.exe.log, ASCII 10->26 dropped 13 vbc.exe 10->13         started        process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 13->52 54 Maps a DLL or memory area into another process 13->54 56 Sample uses process hollowing technique 13->56 58 2 other signatures 13->58 16 explorer.exe 13->16 injected process8 signatures9 34 System process connects to network (likely due to code injection or exploit) 16->34 19 msdt.exe 16->19         started        process10 signatures11 44 Modifies the context of a thread in another process (thread injection) 19->44 46 Maps a DLL or memory area into another process 19->46 48 Tries to detect virtualization through RDTSC time measurements 19->48 22 explorer.exe 2 154 19->22         started        process12 dnsIp13 30 www.nuvy.digital 22->30 32 nuvy.digital 34.102.136.180, 49855, 80 GOOGLEUS United States 22->32 50 System process connects to network (likely due to code injection or exploit) 22->50 signatures14
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 00:55:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bumrk4etaobds6rxdkhr7mm33cvhcupc6sajbmi2i46wlw26bs2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e4457b67ffa5012b613997788d6993355a18568bdc30c4c2e76f8ec9313aa0b
Formbook
26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495
Formbook
3b5e31e4b62087dfa7cac1a39c31896d25d465c971fe1db3e9a9271471ce416d
Formbook
570f6cf56c833b755dcf8618a0182d27fd9ac39a0ad4595ea9a774f346970b7b
Formbook
6c6411e168c6e04022e9314130b25ae03380de6791d6a801f150679fddb64934
Formbook
7343dc198d87dda35588f5efe8fb5ba871a2ab041df2349625377a91399465ac
Formbook
c0064ec7925f6ba2b202bac90707efb73e2c843ad4c946a12fdf3c49be910fbc
Formbook
c6106fc0a5a8a0fb4a2245bd159b22ed22ec40840826b51b585f78f97f860be8
Formbook
+ 10'160 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:seqa loader rat suricata
Link:
https://tria.ge/reports/211202-rrwnaahfgk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.hybridsea.com/seqa/
Unpacked files
SH256 hash:
4445e6169ee2064cac414bb32b65e1685546644926bd081026a4c2ea568339a2
MD5 hash:
49786a0dbb57389e948893b125a90c14
SHA1 hash:
cd393e046e71681bd1cfdddd7ee1db3421cd7057
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b177f9d0-46cf-4f06-a0a2-50aef6cbf206/
Parent samples :
639d4b0e8dca5185a1783c06b52360ef09df62cc065d0edfd1702cc6d83a025e
e96c0ffc73eec789eab058d77bed0e9246f485bbfada89dbad4b73430461780f
570f6cf56c833b755dcf8618a0182d27fd9ac39a0ad4595ea9a774f346970b7b
3b5e31e4b62087dfa7cac1a39c31896d25d465c971fe1db3e9a9271471ce416d
c0064ec7925f6ba2b202bac90707efb73e2c843ad4c946a12fdf3c49be910fbc
0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5
be36f7b67439a45588b41b9c19a15bfde3545ddd5eef1366d2610831260d40fb
SH256 hash:
dbc93f4b47396da3527c6ca75a52162890b884fb0cf9437afc9a6992b8f5e9d0
MD5 hash:
c2554b53d7f8cda5fcbaae1ebe09f811
SHA1 hash:
f12e8513a1448e94224fbbed35cf93226448c576
Link:
https://www.unpac.me/results/b177f9d0-46cf-4f06-a0a2-50aef6cbf206/
SH256 hash:
b19104b568ca3ddccc2a8d3d10ecddb1ea240171e798dc3a486292cfa14b6365
MD5 hash:
7b0900da932f4ed9630d65b04422736d
SHA1 hash:
6fa340436e3a8e73ae2b3e911f861483183c68ef
Link:
https://www.unpac.me/results/b177f9d0-46cf-4f06-a0a2-50aef6cbf206/
SH256 hash:
0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5
MD5 hash:
f0bbbd62e7d944d946ad2c516a9d4bbe
SHA1 hash:
d9f7c013ec38613f53d1cd7bc9bab4222d056b17
Link:
https://www.unpac.me/results/b177f9d0-46cf-4f06-a0a2-50aef6cbf206/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/210728/

Comments