MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f
SHA3-384 hash: 3d6804731cb3984ac6827e44ec3529e3ebab49737d10be4b02e504d869a6034a3ec395134dffe3f7e597e042896edd81
SHA1 hash: b1eb9b77b84c58cb394317f3a5f73e81741637b5
MD5 hash: ac688cf4646c2ba3e564a9c7425d0c0f
humanhash: lima-maine-mars-two
File name:ac688cf4646c2ba3e564a9c7425d0c0f
Download: download sample
Signature Formbook
Create hunting rule
File size:553'984 bytes
First seen:2022-03-15 15:18:45 UTC
Last seen:2022-04-20 09:49:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:f8E+j/e1vBmrcInZIBk/HJZnOJ8r3F/mTBOXG:fSrigpneESJUMTo
Threatray 80 similar samples on MalwareBazaar
TLSH T117C4BE596BAF8163F525FFBB7BF16B200285FEB1B873C24B28C82DE4565F2C55992040
File icon (PE):PE icon
dhash icon f8e0e8cacacaea94 (1 x AgentTesla, 1 x Formbook, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
man.exe.zip
Verdict:
Suspicious activity
Analysis date:
2022-03-15 12:45:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e6eb30c-71f5-4ee7-8620-0c687964ed7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250950/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6230ae76b94fb38cb485bee5/reports/3512fadb-0498-49db-b5c8-d72eed072402/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fb34c4d-fb13-4442-9c3d-43b4e0781cb0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957209
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589690 Sample: RVZ4zcHNpo Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 8 other signatures 2->51 9 RVZ4zcHNpo.exe 1 5 2->9         started        process3 file4 35 C:\Users\user\AppData\Local\kings.exe, PE32 9->35 dropped 37 C:\Users\user\...\kings.exe:Zone.Identifier, ASCII 9->37 dropped 39 C:\Users\user\AppData\...\RVZ4zcHNpo.exe.log, ASCII 9->39 dropped 63 Tries to detect virtualization through RDTSC time measurements 9->63 13 RVZ4zcHNpo.exe 9->13         started        signatures5 process6 signatures7 71 Modifies the context of a thread in another process (thread injection) 13->71 73 Maps a DLL or memory area into another process 13->73 75 Sample uses process hollowing technique 13->75 77 Queues an APC in another process (thread injection) 13->77 16 explorer.exe 13->16 injected process8 signatures9 41 Uses netsh to modify the Windows network and firewall settings 16->41 43 Uses ipconfig to lookup or modify the Windows network settings 16->43 19 kings.exe 3 16->19         started        22 kings.exe 2 16->22         started        24 ipconfig.exe 16->24         started        26 2 other processes 16->26 process10 signatures11 53 Antivirus detection for dropped file 19->53 55 Multi AV Scanner detection for dropped file 19->55 57 Machine Learning detection for dropped file 19->57 28 kings.exe 19->28         started        31 kings.exe 22->31         started        59 Self deletion via cmd delete 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 33 cmd.exe 1 24->33         started        process12 signatures13 65 Modifies the context of a thread in another process (thread injection) 31->65 67 Maps a DLL or memory area into another process 31->67 69 Sample uses process hollowing technique 31->69
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 16:03:17 UTC
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
44282dbf84b4ca3da5ca238140e9aaee406fc342b459b9d27fea581802287ca5
Formbook
50e47f2ad6a616f1863ea677957a50d2aef65705836eaa4441b3367df8649906
Formbook
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
Formbook
75a25fe05bbcefe44a5965015d178374e74b2d2be3ec2fba5d15cf37dc93df20
Formbook
780aee300d0f8eba4233484b475aa6a0109e40d0bec49d1d7fd4435846ca6608
Formbook
b01331a5470088edce46530556b5c2598397d71552f62794ea0f7501c779c966
Formbook
e5c11575362968051ed9c24b45489c771d7cd7737c9212eb88cf2a46c2215d36
Formbook
e8096fa93aebba05def7403773671e1a0bc547af4b44cceb2761e6be655b2d43
Formbook
f32313541169b4b774215aed7bf6c06e5823a8441ec1de28a647676bc68c02f2
Formbook
+ 70 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:vfm2 loader persistence rat
Link:
https://tria.ge/reports/220315-sp6wxadbd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
5abe1de48d7955853d262a39629941a7ebc4f20c7504547318f008be29687af3
MD5 hash:
35bb5c8297c78eed295665bd5a129fda
SHA1 hash:
0a718b7ec826f26d8414e9dfe5eadcbffde682e9
Link:
https://www.unpac.me/results/35926d11-5801-4d06-a049-9e50ba641e91/
SH256 hash:
b2c0a20071a5c680944335fd4a83e43b9d43da56271d31eea14187f52cd6ee63
MD5 hash:
3954f80b6aa57db559fb047ba33ec3ab
SHA1 hash:
9c68e837a494859d99330377f43c364245623400
Link:
https://www.unpac.me/results/35926d11-5801-4d06-a049-9e50ba641e91/
SH256 hash:
aebfe918b516192a6ecdad451f90e8ae597b91d8c650be89363c45d20f5a41cb
MD5 hash:
4c3cfedf5d918c8277075db324ba11de
SHA1 hash:
eca39c0b3ec056a38e9c3a75902a40af9480cf2e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/35926d11-5801-4d06-a049-9e50ba641e91/
Parent samples :
4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b
94e8308989d63f75b02e89c5d30e01d9d7dedbf7bb446d3aa6fb83b6e20bcecc
3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf
6e164cb51ca6a0c1c9c27d4d4fece6d970bfe924be2f5766fd2d04bd59fe0d6e
c349c8a20c6576c397a5dff95fb121e7a16dfdd992e08694a4aacf387cf8c3e7
19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f
ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af
SH256 hash:
19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f
MD5 hash:
ac688cf4646c2ba3e564a9c7425d0c0f
SHA1 hash:
b1eb9b77b84c58cb394317f3a5f73e81741637b5
Link:
https://www.unpac.me/results/35926d11-5801-4d06-a049-9e50ba641e91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2098472/
Cape
Cape
https://www.capesandbox.com/analysis/250950/

Comments


Avatar
zbet commented on 2022-03-15 15:18:46 UTC

url : hxxp://107.172.73.140/acc/man.exe