MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a754df19cdce289a20f1cdcbdc054311d57300b49168e9b7fb05e357fd7dcd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a754df19cdce289a20f1cdcbdc054311d57300b49168e9b7fb05e357fd7dcd5
SHA3-384 hash: 41240351b5b66894362dd98096ff14c5452832bed7ac3fa0716c9876d33559cbc0521928fc25c8b002196fc663210be9
SHA1 hash: bd8ec78bcac12d77f73e0c759d3f33ae009fff61
MD5 hash: 1953b54ea9bfb1d86aab4e4443edc3bd
humanhash: wisconsin-lake-eight-angel
File name:from-iso_DHL_119040 SISSETULEKU DOKUMENT,PDF.BAT__.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:543'232 bytes
First seen:2021-12-21 16:50:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:WfA6CVwEMtlugesN9ZCsTPhnUV9/15gG3WPTYCg33/W9K:EA6CVwEMtlAg7CuUT1pC
Threatray 12'593 similar samples on MalwareBazaar
TLSH T11BC4BE5DF650F5EFC41BCA3699741C206B60E477934FD75BA44722AE880D2CB8E0A8E7
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
from-iso_DHL_119040 SISSETULEKU DOKUMENT,PDF.BAT__.exe
Verdict:
Malicious activity
Analysis date:
2021-12-21 17:07:27 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/58b30fec-f3a2-40a7-af60-f26a5a2f14d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215686/
Detection(s):
SecuriteInfo.com.Artemis1953B54EA9BF.6972.1672.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61c205fbec6c6c14a9e7f327/reports/0a1abc3d-f3c9-4754-ac4f-5119a8e275b9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/385aef32-d5f9-4653-8e28-ec1e93922357
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911100
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543577 Sample: from-iso_DHL_119040 SISSETU... Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 10 from-iso_DHL_119040 SISSETULEKU DOKUMENT,PDF.BAT__.exe 3 2->10         started        process3 file4 32 from-iso_DHL_11904...T,PDF.BAT__.exe.log, ASCII 10->32 dropped 13 from-iso_DHL_119040 SISSETULEKU DOKUMENT,PDF.BAT__.exe 10->13         started        16 from-iso_DHL_119040 SISSETULEKU DOKUMENT,PDF.BAT__.exe 10->16         started        process5 signatures6 52 Modifies the context of a thread in another process (thread injection) 13->52 54 Maps a DLL or memory area into another process 13->54 56 Sample uses process hollowing technique 13->56 58 Queues an APC in another process (thread injection) 13->58 18 explorer.exe 13->18 injected process7 process8 20 chkdsk.exe 18->20         started        signatures9 44 Self deletion via cmd delete 20->44 46 Modifies the context of a thread in another process (thread injection) 20->46 48 Maps a DLL or memory area into another process 20->48 50 Tries to detect virtualization through RDTSC time measurements 20->50 23 explorer.exe 1 146 20->23         started        26 cmd.exe 1 20->26         started        28 explorer.exe 1 151 20->28         started        process10 dnsIp11 34 192.168.2.1 unknown unknown 23->34 30 conhost.exe 26->30         started        process12
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1a754df19cdce289a20f1cdcbdc054311d57300b49168e9b7fb05e357fd7dcd5/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 11:06:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dj2u34m43tritiqpdtol3qcugeovomaljeli5g37wbpdk76x3tkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15e4f50b213a1cc5545dd4a173eabfed7f2ea6019117fdc374ef1514632bdb55
Formbook
248b6eeee418dfa9bfae299491cc483275e1820f001b7b21ab6cd29a762e2a34
Formbook
48f6e66bd79f4963bd12037988a93f1708a63e4caa7e17a0ba7cc11fdb90076b
Formbook
61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb
Formbook
7415f5e7f8ae4514ca13ec7ae4e3b4005e93c63eaba82d03048de5f60eb784fa
Formbook
787179b3dd4ded4008927e4033331b00b60762872da94de5db3e6bf4a3b6e143
Formbook
7f4888239060a411b5a521d19e88bb1158189634f764383c2c2fc0bb84e01169
Formbook
d2a727f2af1ff844439a4b0d68328cc0a92fd4de8537dbc5df4d397c80c03707
Formbook
dce5f044b1f4396f33c3574667169dcbdeb3aebb037c9f53d7a8c38e095f576d
Formbook
e146d9fee7645fc19d995f9d018cac7d0070acf5399128b8435e8532df423921
Formbook
+ 12'583 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nrve loader rat suricata
Link:
https://tria.ge/reports/211221-vctf6aehcq/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
d0eca5257ea69fb4df2b686ee10d13a8780fd966e37753f5e0ad8a25a5ede0eb
MD5 hash:
2bbd44f6c661516f39f19dc00a6f4052
SHA1 hash:
55ecf41b05f0f2e9368dd35fa8c4049e01d74399
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b9c8a91-a63c-40e0-80ae-3d812ccc4251/
Parent samples :
61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb
1a754df19cdce289a20f1cdcbdc054311d57300b49168e9b7fb05e357fd7dcd5
SH256 hash:
924971edd391379fbed851351b25e82db6b98027b25df3d1d060989fb34d0e95
MD5 hash:
1549de5ccfc4e742e92c951bafc0caeb
SHA1 hash:
e5b8e4e35a0bdedef012b3e3be35f6237c0b95c5
Link:
https://www.unpac.me/results/9b9c8a91-a63c-40e0-80ae-3d812ccc4251/
SH256 hash:
129916d0bb9c4edf72c655401f718e7e03d729ec1880284f0cfd87a1c81cf5a2
MD5 hash:
30c5472aafec7a023f9858fc841bf9c0
SHA1 hash:
ed30c35a58edfa9da66b1a026a01fb38629e09b4
Link:
https://www.unpac.me/results/9b9c8a91-a63c-40e0-80ae-3d812ccc4251/
SH256 hash:
cc863038dfc58d37276a1f1cb952870d6a2cd81a7ac72d3ed7021e5c5aa1c8f0
MD5 hash:
2c5570f3b591aa1fd57f5ec62ab89b76
SHA1 hash:
7a451b030d1acef0a149e333ba9df225fc5494d1
Link:
https://www.unpac.me/results/9b9c8a91-a63c-40e0-80ae-3d812ccc4251/
SH256 hash:
1a754df19cdce289a20f1cdcbdc054311d57300b49168e9b7fb05e357fd7dcd5
MD5 hash:
1953b54ea9bfb1d86aab4e4443edc3bd
SHA1 hash:
bd8ec78bcac12d77f73e0c759d3f33ae009fff61
Link:
https://www.unpac.me/results/9b9c8a91-a63c-40e0-80ae-3d812ccc4251/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1a754df19cdc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/1a754df19cdce289a20f1cdcbdc054311d57300b49168e9b7fb05e357fd7dcd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/215686/

Comments