MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049
SHA3-384 hash: bf76ee8d89c1577f6ccec608fb523601116c43303fb5730f3e00a38aae4d749600b1044da7483b5b6a4e12e1a7ab7075
SHA1 hash: 983164073f1b89c80a328b11b574d2a1df9f5a4d
MD5 hash: 09f8303a0b3321883bd45bc8a306c8b1
humanhash: undress-football-bravo-oxygen
File name:SecuriteInfo.com.Trojan.Win32.Save.a.12017.32304
Download: download sample
Signature Formbook
Create hunting rule
File size:799'232 bytes
First seen:2021-07-12 11:54:58 UTC
Last seen:2021-07-12 12:42:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:cK1MfoCRVXN5GnTOdU+CHpZszsAI5arGXbqFEjUKcvLFK2yxjRSxo80i5h5HsX:cK+QCRBIcGXbqdvzyxjRCoxi5hWX
Threatray 6'504 similar samples on MalwareBazaar
TLSH T1D0054B2C23BD9609F13BFFB09F64A6049FE576669725D14E3DD1428E2420E80EE76933
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Save.a.12017.32304
Verdict:
Malicious activity
Analysis date:
2021-07-12 11:55:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/029eb567-16f8-4df4-8c55-1f423b957d74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171064/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.12017.32304.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e76cc782-e135-4a19-a4fa-d980b4685fbf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814804
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 07:36:20 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7iuhv3loj45jivludwdyykhcq4expcx6624camko2xhwyg2obeq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3ba0da5db0ccdbabdfd7e95fe24a1c43056b77893dc6c589ede0a2a4ba365cce
Formbook
4d345d3e9341f12df8e933686d66efde41d0ba682e67b8a3d23064b35b400429
Formbook
61be8eb2905c08febca2821b39701ea6a361ae21e807866d240b3b122221cf62
Formbook
786e182e324b83c59ad1b095f7d520598a1b72cfce239b4274d462c7ba45bf18
Formbook
9ecedea13dc027095e79edab82e3988f028dfda3ea5b5469351a52a82a60ff7f
Formbook
a086821049463b0bfc414cb3763c4f82688182d2d018ae5c9cd472f59f9e36ff
Formbook
b1fbc6ceb27ff1142228b55cfc493da29609dcaf9660ce70af8e574beecfd560
Formbook
d3501787751324e615bd13ed80417360fbd7558385662ac34c51b34802f9b9d4
Formbook
e110fdb6d419cc120ccbbf2e2121f3a95c2f60f55fea70a6f6bb0c904acb1251
Formbook
ebe1f420ea3fcef5b426cf6458d23984e12c4ceb5983571699f60aaa963b159a
Formbook
+ 6'494 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210712-814f8sk82j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.all4ocean.com/aqu2/
Unpacked files
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/5cb393fb-3bb3-40b2-8b29-af53832b2e1f/
SH256 hash:
f786b3044e3740d413c2f768ce99080e321a377a43121ab8e0ff63cdcbc18910
MD5 hash:
39e45fd9b93f836d8f6508331a493058
SHA1 hash:
14ccce8ab37daab1a2f5e4b63162e571e46e1479
Link:
https://www.unpac.me/results/5cb393fb-3bb3-40b2-8b29-af53832b2e1f/
SH256 hash:
00bbc8fefe66ccc990d87f9429da1d24ef21d75bd74d103e3431b4d12a23b25c
MD5 hash:
8e1a3397c42b461089cb01ab01c833cf
SHA1 hash:
eaa03fb3d3fa998a8251b38ca3885a5b45afe706
Link:
https://www.unpac.me/results/5cb393fb-3bb3-40b2-8b29-af53832b2e1f/
SH256 hash:
db95231c53b5fd672bb724e31020ae54862f090578733c84f42b6294c678da60
MD5 hash:
e064e5627bdd49a4afb0f6fabb8732eb
SHA1 hash:
7ac427981a02019cf9fb38cf45b2c20e42949bef
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5cb393fb-3bb3-40b2-8b29-af53832b2e1f/
Parent samples :
17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049
22f8bd6d14f40adb264992b23b49be37feeefeb00ff0702bfea5662b401ff8d6
SH256 hash:
17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049
MD5 hash:
09f8303a0b3321883bd45bc8a306c8b1
SHA1 hash:
983164073f1b89c80a328b11b574d2a1df9f5a4d
Link:
https://www.unpac.me/results/5cb393fb-3bb3-40b2-8b29-af53832b2e1f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/171064/
  
URLhaus
https://urlhaus.abuse.ch/url/1447203/
  
Delivery method
Distributed via web download

Comments