MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13b97bdc5e28d592ef42df9b6fcd18514bcc38ed26f28ec5943dbbd479458fac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13b97bdc5e28d592ef42df9b6fcd18514bcc38ed26f28ec5943dbbd479458fac
SHA3-384 hash: 43cc3d068b9bd52bb0418600d82edbfc605a5b46022b281c37d0a4f8a3b8dff213dee2fe85153fd3812cc9d9cd0646bb
SHA1 hash: 57889298507367bdbb357daecddbd4c43295886f
MD5 hash: 95e632b834c3e28521bebc17202e23bc
humanhash: eighteen-alanine-sodium-tango
File name:Order Confirmation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:770'048 bytes
First seen:2021-09-23 01:55:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:G3DgmtiK5oruKWVShg0xQU+vX4NshAQ3eCrPuPSV7uUHVw2rk:Yg+FouEhgmD+vushBeCzu9Wnr
Threatray 9'528 similar samples on MalwareBazaar
TLSH T15DF48AC56D988603C3A55632CC5D6205366C2C4A7723878BDBE53E7B3EFE287C12D58A
File icon (PE):PE icon
dhash icon a28aa2e2e0aaa2a2 (14 x Formbook, 11 x AgentTesla, 5 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Confirmation.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 01:57:12 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6200aefe-ba75-4e2a-9fae-207fb4fe485f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190445/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3795b486-a1f6-4300-b772-8fd3a820e9b8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856103
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488534 Sample: Order Confirmation.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 30 www.student-study.com 2->30 32 www.rip-online.com 2->32 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 8 other signatures 2->46 11 Order Confirmation.exe 5 2->11         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 11->60 14 Order Confirmation.exe 11->14         started        17 Order Confirmation.exe 11->17         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected process8 dnsIp9 34 haryanaaffordableflats.com 198.38.91.55, 49819, 80 SERVERCENTRALUS United States 19->34 36 gplpocket.com 45.79.121.33, 49828, 80 LINODE-APLinodeLLCUS United States 19->36 38 12 other IPs or domains 19->38 48 System process connects to network (likely due to code injection or exploit) 19->48 50 Performs DNS queries to domains with low reputation 19->50 23 systray.exe 19->23         started        signatures10 process11 signatures12 52 Self deletion via cmd delete 23->52 54 Modifies the context of a thread in another process (thread injection) 23->54 56 Maps a DLL or memory area into another process 23->56 58 Tries to detect virtualization through RDTSC time measurements 23->58 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13b97bdc5e28d592ef42df9b6fcd18514bcc38ed26f28ec5943dbbd479458fac/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 01:56:04 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=co4xxxc6fdkzf32c36nw7tiykff4yohne3zi5rmuhw55i6kfr6wa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
115716164b2092df207c750d11a2b4ce05bee204b7f21f1f62d93a5b7d78afa1
Formbook
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3
Formbook
40da3a76d7dfbe395b879dc9b090af73483617c65c7c433975490c0a22e4a71a
Formbook
4eb131114c2b67395cff2f126c699a569e6ba5e3a53876f79588dfa0924b3d7e
Formbook
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
8a95ac711537aeb1c93c61e541077005f5226e4150c2669742d1b612cfc25788
Formbook
a0d1e3fbe11fcbbea9dcad1880e23ea531c01c20fbbf383174cd420349657a01
Formbook
ea12191fcd49d36b68be2c466a24cac87cfd79f9d1fb18ef252037f0fb976979
Formbook
+ 9'518 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ccxq loader rat
Link:
https://tria.ge/reports/210923-ccph4aebe2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.ss-traders.net/ccxq/
Unpacked files
SH256 hash:
9de634512a443f45e68eb4aa0cf6c4947165602340a3d9a1f32f2def7d35607c
MD5 hash:
34df17dbc78ba007884b71671f194f53
SHA1 hash:
e7f21d5edbc0b26431774dd04436eb1b2828407c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4fac714a-e136-486d-94dc-2b093e3bb7ac/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/4fac714a-e136-486d-94dc-2b093e3bb7ac/
SH256 hash:
2ba0bb63d8fe0719fdefae838b2864adcf540a6ca82db03c99faf5baf52297b3
MD5 hash:
64e5f95251dc6c12cb817ed0eef8390e
SHA1 hash:
9ff5d84bd10aa7aaf9df9a314959bf1b3cfd2d56
Link:
https://www.unpac.me/results/4fac714a-e136-486d-94dc-2b093e3bb7ac/
SH256 hash:
8daa9290b746955e6ab046d8286e0de5cabf1310b2a5890816d46aa73d3d6c3d
MD5 hash:
8e8b821c42d1d45a150535f281986895
SHA1 hash:
5b3d51c45a143041eef85540352b260136230b24
Link:
https://www.unpac.me/results/4fac714a-e136-486d-94dc-2b093e3bb7ac/
SH256 hash:
13b97bdc5e28d592ef42df9b6fcd18514bcc38ed26f28ec5943dbbd479458fac
MD5 hash:
95e632b834c3e28521bebc17202e23bc
SHA1 hash:
57889298507367bdbb357daecddbd4c43295886f
Link:
https://www.unpac.me/results/4fac714a-e136-486d-94dc-2b093e3bb7ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/13b97bdc5e28d592ef42df9b6fcd18514bcc38ed26f28ec5943dbbd479458fac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 13b97bdc5e28d592ef42df9b6fcd18514bcc38ed26f28ec5943dbbd479458fac

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190445/

Comments