MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19445d7251f9c133c6bf786d987a6e333f6fcb0832f974a273ab73202a2e40c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19445d7251f9c133c6bf786d987a6e333f6fcb0832f974a273ab73202a2e40c9
SHA3-384 hash: d3906d7c6e2508dc2501cf7f9917e0f556ed14f99b96bcfa1f38d619bc6c8b34d373a333d75aa15cc91a97a7c7098b01
SHA1 hash: 993d0806785cab7848ba69735b06d096255b39a4
MD5 hash: 11cd09ebc5ee42129b6b5773dc10e350
humanhash: cola-stairway-missouri-apart
File name:M2021-D-074.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:477'184 bytes
First seen:2021-09-16 11:31:49 UTC
Last seen:2021-09-16 13:00:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:T+9FWHCM2K4Ci4+Td5lLlsPTeEDX3L93t6qharTapyw:y9v3C/adPuTbX3Lv6Frsyw
Threatray 9'442 similar samples on MalwareBazaar
TLSH T1A0A4C0243DEE9019F1B3AFB98ED575969B7EF7632703E85E1091038A0612B81DDC193E
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
M2021-D-074.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 11:34:59 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/5e1ef12f-f240-4676-bd63-6dac83424c73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188409/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.ALK.genEldorado.4611.5805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/617522089a5a1e91c5d20465/reports/961a4cec-bce4-4c83-8763-570c65ce2589/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afefc164-736a-4fa9-9570-e8bed06f350e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852020
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 484451 Sample: M2021-D-074.exe Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 10 M2021-D-074.exe 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...\M2021-D-074.exe.log, ASCII 10->30 dropped 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 M2021-D-074.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 32 www.stephwoodwrites.com 199.34.228.72, 49786, 80 WEEBLYUS United States 17->32 34 www.cabaretbratislava.com 37.9.175.26, 49785, 80 WEBSUPPORT-SRO-SK-ASSK Slovakia (SLOVAK Republic) 17->34 36 10 other IPs or domains 17->36 46 System process connects to network (likely due to code injection or exploit) 17->46 21 wlanext.exe 17->21         started        24 autoconv.exe 17->24         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19445d7251f9c133c6bf786d987a6e333f6fcb0832f974a273ab73202a2e40c9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 08:13:51 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfcf24sr7hathrv7pbwzq6togm7w7syigl4xjittvnzsakroideq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
24dcd158651778db622e7ad72d70bce9ccd66ad754357285b9d3399c5dcb33d9
Formbook
36c5cccf34914902e9e6f2a53f30d3efb3215aa9d7516a5e56ab97d2a287ac51
Formbook
52c83128a5afe81533f6683e9fe4d53c6a00dd3b0650ee6136528114bef6117e
Formbook
55e967fecbdcb5166af6a5a6b8d09db0ca26582ed70d170a248a4d1e69c9a8c9
Formbook
af5c86dda09842ee8b442cea3c224c8e0cea387406a55f1dac5abb32d6aa1b8a
Formbook
ba16d80b218d269fcc8beb82c0c21b9533f5976fd2af0c873d5598e6f4e90307
Formbook
cb5d83a08a825fccf4a52e24c65f51b995ec34053194d7ff749fced8cc5d3fc6
Formbook
+ 9'432 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ez2z loader rat suricata
Link:
https://tria.ge/reports/210916-nnbbdsfhfl/
Behaviour
Enumerates system info in registry
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.chriswrightt.com/ez2z/
Unpacked files
SH256 hash:
e0c99291ae7b961fe14792c39ed22172f1a407161c66b3e7a58a61e56774072f
MD5 hash:
6435a3d6fb444d2e8679ee00b1b2f25b
SHA1 hash:
37419ce689c6cbbcbd27daa44b5e35088be3e91c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d060d915-30d0-4b96-8474-dd89c15a919b/
Parent samples :
cb5d83a08a825fccf4a52e24c65f51b995ec34053194d7ff749fced8cc5d3fc6
ba16d80b218d269fcc8beb82c0c21b9533f5976fd2af0c873d5598e6f4e90307
36c5cccf34914902e9e6f2a53f30d3efb3215aa9d7516a5e56ab97d2a287ac51
52c83128a5afe81533f6683e9fe4d53c6a00dd3b0650ee6136528114bef6117e
19445d7251f9c133c6bf786d987a6e333f6fcb0832f974a273ab73202a2e40c9
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/d060d915-30d0-4b96-8474-dd89c15a919b/
SH256 hash:
143fc6a164b3147fc23d7d09b17922e60a313a3bc5a772cc711e6d6d5b9cd248
MD5 hash:
e60c624ec50a65126821dae465c3ff20
SHA1 hash:
2106ad5b562c4743eeaa366c2f5ea5f204df7539
Link:
https://www.unpac.me/results/d060d915-30d0-4b96-8474-dd89c15a919b/
SH256 hash:
19445d7251f9c133c6bf786d987a6e333f6fcb0832f974a273ab73202a2e40c9
MD5 hash:
11cd09ebc5ee42129b6b5773dc10e350
SHA1 hash:
993d0806785cab7848ba69735b06d096255b39a4
Link:
https://www.unpac.me/results/d060d915-30d0-4b96-8474-dd89c15a919b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/19445d7251f9c133c6bf786d987a6e333f6fcb0832f974a273ab73202a2e40c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 19445d7251f9c133c6bf786d987a6e333f6fcb0832f974a273ab73202a2e40c9

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/188409/

Comments