MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 116440ea0c30932c6cdd9f67ef362006fb3785071e211ea5ac007bb18a540f8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	116440ea0c30932c6cdd9f67ef362006fb3785071e211ea5ac007bb18a540f8e
SHA3-384 hash:	cf6669b8e061151cf5629ea9bcfcf0cde2b42e0f16f07b28a6ed47a7e99d1f63ab35a3062bc22ca175d3fff67fbaa3a3
SHA1 hash:	34786ec44d731afd2af433c51bdd01ed22434037
MD5 hash:	66e8cc3773147893d9bd320e5f440850
humanhash:	helium-queen-skylark-echo
File name:	SecuriteInfo.com.W32.AIDetectNet.01.6869.1842
Download:	download sample
Signature	Formbook Create hunting rule
File size:	671'744 bytes
First seen:	2022-05-20 11:57:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:KS6BQAmUbfnbj0fkCmbwMWPdMx2i/5oWVt1t9tvCD:wnbj0fkTbrIKx2i/7VnFvS
Threatray	12'174 similar samples on MalwareBazaar
TLSH	T1DEE4121467E88F11E0DE5BB791A1002003B6FE1EB963F71E69A570D91DB37C18893B6B
TrID	54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	31110d6773510d01 (1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.6869.1842

Verdict:

Malicious activity

Analysis date:

2022-05-20 12:15:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c1a0f90c-3038-4d7b-84a1-39f55f7f2049

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/272985/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.6869.1842.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/62878220afb61a38666102f8/reports/2e03974f-f2d8-49d9-98b8-907509158efb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/df26ba37-5d37-453d-910a-1ad5acb9a6bc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998530

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/116440ea0c30932c6cdd9f67ef362006fb3785071e211ea5ac007bb18a540f8e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-20 12:06:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cfseb2qmgcjsy3g5t5t66nraa35tpbihdyqr5jnmab53dcsub6ha._file

Verdict:

malicious

Label(s):

formbook

Formbook

3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef

Formbook

5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856

Formbook

6eef88d9b2ada286ff5f0ee740bd12a593a6111f2e29e0b86cc43dc437701edf

Formbook

71ed38b5c950b506cced8e7d12d773bb1fa20daadf3570a98577054749caadfe

Formbook

84483ed46317d2ba114e3b5f49c4a54a8801bf648b73578135372dedd3f8a9ca

Formbook

c483fdd57cf8e05985e6e09ae3c74a7b53cccff68ddccd0cfea136591ec5c306

Formbook

cc715fcd2300c306a1254671a3119516a60d0662b5776a690e0c2b451f868d34

Formbook

+ 12'164 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:a08h loader rat

Link:

https://tria.ge/reports/220520-n456psbbh7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Xloader Payload

Xloader

Unpacked files

SH256 hash:

7b852a34d67e5efebe88d6c01daccd2a413b40bce49a70e80a8e30d7231b14a0

MD5 hash:

cb231c3a377c64019d94cc3592ddf58f

SHA1 hash:

d340d8600401363363a7bf30859ecdd4e026992d

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/9b9b70e6-7b1a-4885-a987-4cd207793f22/

Parent samples :

3bdf54d6b07a96a026ed34f1db8d5cc442c1a211d02ff888659d7263ccc77c4c
32fae9922417d6405bf60144d819d5e02b44060fa8f07e5e71c824725f44307f
de36ea5b8c40db020f6292ee0ce1a0fac7b33d58bd8691e4371a657ca80d8665
116440ea0c30932c6cdd9f67ef362006fb3785071e211ea5ac007bb18a540f8e

SH256 hash:

e1119fbf08396e6b88a3471c2f09442cc45e93babcddafbafb71bfbd00263738

MD5 hash:

cde57600eaeebd95222a8e3a3cc97dde

SHA1 hash:

f9b37c8000023c33bf8458491ab921a5c93a3402

Link:

https://www.unpac.me/results/9b9b70e6-7b1a-4885-a987-4cd207793f22/

SH256 hash:

5a90c7be4465c89ed010fa4abf8d31b361b25ba05f539dfb76bd2e11638174a9

MD5 hash:

087910f5bfe55b0025b6ed5662905724

SHA1 hash:

6f3bdf15f285e662966cbea2f4a0e6bc4f22ed77

Link:

https://www.unpac.me/results/9b9b70e6-7b1a-4885-a987-4cd207793f22/

SH256 hash:

8d624de920ae21aa663f24106e2be043ba1fbf1f0d6106ee9fa93b18dc3c3f43

MD5 hash:

cb1d3490acc509978783032f79ac4ffc

SHA1 hash:

4586a5ca1612995e7e9fee24e67dfc2e3c97f3e7

Link:

https://www.unpac.me/results/9b9b70e6-7b1a-4885-a987-4cd207793f22/

SH256 hash:

116440ea0c30932c6cdd9f67ef362006fb3785071e211ea5ac007bb18a540f8e

MD5 hash:

66e8cc3773147893d9bd320e5f440850

SHA1 hash:

34786ec44d731afd2af433c51bdd01ed22434037

Link:

https://www.unpac.me/results/9b9b70e6-7b1a-4885-a987-4cd207793f22/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/116440ea0c30932c6cdd9f67ef362006fb3785071e211ea5ac007bb18a540f8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/272985/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample