MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1da66787bac6e2293792bf1f2d262c9d587b1fb63084ec6afff294b79c208014. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	1da66787bac6e2293792bf1f2d262c9d587b1fb63084ec6afff294b79c208014
SHA3-384 hash:	805612f2fbf12fcccc52e984da636961e3fe648f03c05c04786bd9605b1a3bc54467e5de870222eceb7fa4398f873cd9
SHA1 hash:	46b1718671e662b34d903eb9acf2cc09ef893ff6
MD5 hash:	6324862ccd183522472fedbe3901d267
humanhash:	vermont-salami-red-apart
File name:	RFQ_AP65425652_032421 URGENTES,PDF.EXE
Download:	download sample
Signature	Formbook Create hunting rule
File size:	854'528 bytes
First seen:	2021-04-07 11:57:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:IehAesJPxtoGyiI7bMQVtbl1wm9YL44Mwv5N:IehAe0toGqbMQVtbl1wmuc4H
Threatray	4'539 similar samples on MalwareBazaar
TLSH	B20501212B988F94E43E6336053654A047F1BDAED336DB1E7DD8B1DE2A32A145237F42
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ_AP65425652_032421 URGENTES,PDF.EXE

Verdict:

Suspicious activity

Analysis date:

2021-04-07 12:06:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c433c649-b91b-482f-8a54-069e24f387a6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/132852/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.634-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/668623

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1da66787bac6e2293792bf1f2d262c9d587b1fb63084ec6afff294b79c208014/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-07 11:58:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dwtgpb52y3rcsn4sx4ps2jrmtvmhwh5wgccoy2x76kklphbaqaka._file

Verdict:

malicious

Label(s):

formbook

Formbook

238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b

Formbook

486035f5d7f5cffc2c03aee2ecb06252449dc9330cae4b8fb35662010f59eab8

Formbook

9763034a6f6e93c907471ca361e619f5fe5ec0b3aeb301cd046bd877c62aaea7

Formbook

bd6055810a703f4f0caec388c7cce89661ee9451179dc3abe6261480bda4105e

Formbook

c4527be43e6ad0e3eb7e8ca1bf26c120c0c5eef996716178a87bbe2b807efa57

Formbook

cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017

Formbook

dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450

Formbook

e3e835f0a966220781ace04187f77bc80f074043d910633e722468089a6fffc8

Formbook

e92125c96b4bee95fd7b70d867271510071f812699733de75dd5e64636030314

Formbook

+ 4'529 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210407-f7154hsa8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.luegomusic.com/pe0r/

Unpacked files

SH256 hash:

6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379

MD5 hash:

95dfa1a9015a17a1d49b4faa3f3d999d

SHA1 hash:

427b72727b28436554d0443d797f19b2ea37cc16

Link:

https://www.unpac.me/results/397b1d7e-a024-44dd-97a3-94f10da2a561/

SH256 hash:

1da66787bac6e2293792bf1f2d262c9d587b1fb63084ec6afff294b79c208014

MD5 hash:

6324862ccd183522472fedbe3901d267

SHA1 hash:

46b1718671e662b34d903eb9acf2cc09ef893ff6

Link:

https://www.unpac.me/results/397b1d7e-a024-44dd-97a3-94f10da2a561/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1da66787bac6e2293792bf1f2d262c9d587b1fb63084ec6afff294b79c208014

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time