MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ef7bd7eb5072a52e9e63dab1a6633413a19768ea84bf248868239b087f0900f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ef7bd7eb5072a52e9e63dab1a6633413a19768ea84bf248868239b087f0900f
SHA3-384 hash: ff1b7e7f3babd4ab422b5095a932cb329e5df3fbed9919ba237e989a36fbacdaa77611544fc01142a0a04fed734f2699
SHA1 hash: bbc97246613ee16ffe1c5139b97a44b8f80b7d49
MD5 hash: 0f20d5607826e14b4b13809f1d85a1fa
humanhash: timing-nebraska-mango-ink
File name:IXLNHh6VtvP2ZGL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:837'120 bytes
First seen:2022-02-16 11:27:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:9AxaVxZsfD8WkfvOSAkMP6uFebA5FseQyhtywlnb9ba1bBZRsFScaD1FhrFKoGUs:hZsLYMCI9XQWN9e1dZRsEcmGRS/y
Threatray 13'555 similar samples on MalwareBazaar
TLSH T127055B7631EF1096C7B2EBF20BD9ACBF865AF173110E753A31815B968326D419E82371
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241891/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.26075.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620cdfca875593a3ccd686cc/reports/f2eb5be5-e79b-4b66-8a65-87d7b200ed87/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54cbc9a3-35b5-47ba-86c0-1851cfa280a7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940765
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 573243 Sample: IXLNHh6VtvP2ZGL.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 33 www.u0biitep9.xyz 2->33 35 www.seyaaygrxhv.mobi 2->35 37 6 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 10 other signatures 2->51 11 IXLNHh6VtvP2ZGL.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\IXLNHh6VtvP2ZGL.exe.log, ASCII 11->31 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 15 IXLNHh6VtvP2ZGL.exe 11->15         started        18 IXLNHh6VtvP2ZGL.exe 11->18         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 15->20 injected process9 dnsIp10 39 baznasdumai.com 109.106.253.234, 49821, 80 NETNET-ASRS Serbia 20->39 41 cdn-210-cdn-210-d02-ws.fastliii.com 45.60.186.218, 49775, 80 INCAPSULAUS United States 20->41 43 19 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Performs DNS queries to domains with low reputation 20->55 24 msiexec.exe 20->24         started        signatures11 process12 signatures13 57 Self deletion via cmd delete 24->57 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ef7bd7eb5072a52e9e63dab1a6633413a19768ea84bf248868239b087f0900f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 10:40:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d33327vva4vff2pghwvruzrtie5bs5uovbf7esegqi43bb7qsahq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
201616caaad839735dc703230c000ebb254e0435a77253e160622c8cfbe10cc6
Formbook
640ac0fcf97c0474f805fdf150d7c539650a833e1cbb47393e188da5a1f5f5c3
Formbook
8e133618d88f4eb1975953fc0ef639a7192f7fea403f5a777a698a4631f741a6
Formbook
9bceb9680d39094087add5289a7e19aa93168faf9c5f2465700b117d59e8d841
Formbook
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
Formbook
ccf47d9fd0a0ddce06c265b87f0e2377bb58107c18659ac908b7e3a5731ad081
Formbook
d53c0ce4893779afc24b84d79e926ba6684b2dbc549b85e8213137e2a8358ab2
Formbook
d6a113f33599b8c821531df91dc5cd29501cab9fa911b8844a3447d0991e7362
Formbook
+ 13'545 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:icun loader rat
Link:
https://tria.ge/reports/220216-nk13msbfc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
Unpacked files
SH256 hash:
42501404e1555afc191debd5c2c5ecccb08835a67d0de5f7215fde9f686078a1
MD5 hash:
fdffccd125d9c21507f21d4953f5f4ea
SHA1 hash:
b314822f0837ab84541cc41ce78fdf6f094359a3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7fbb72f0-74e9-4e08-81e2-8af6b34e985c/
Parent samples :
05b6c2741d33e6b3a06eb63ddfb99d41f35463761a1d36fef5b408c36bf45637
1ef7bd7eb5072a52e9e63dab1a6633413a19768ea84bf248868239b087f0900f
e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd
39586764971f496d274f3d453029954720962ed36672050b742aef8b4e68a78e
SH256 hash:
1bf021372b2769cfed467a6aa412b8d5dd9486a5b8149760c7891a748910e251
MD5 hash:
54eb8de341dd48a152df6c94fc8ee140
SHA1 hash:
957f31331a0cff668067dd7916c8d8e465250a5d
Link:
https://www.unpac.me/results/7fbb72f0-74e9-4e08-81e2-8af6b34e985c/
SH256 hash:
0cc272835ee6d12502dba4fdc6de0bd36de736e26d87c4666a6b70521fbc3bd6
MD5 hash:
353c0b656ffb7e7405135feffff90bf2
SHA1 hash:
8d0524f36290eb0b2df0b8f9cf287ac27bb8abd4
Link:
https://www.unpac.me/results/7fbb72f0-74e9-4e08-81e2-8af6b34e985c/
SH256 hash:
10247a10eb82b362aa92688fb5bb240da4ba9796c4b7c8f22086fcf4b0413ab9
MD5 hash:
0a3eee369386c2846ffa28e17b20f15d
SHA1 hash:
52af7a7701d33221bfd66764c678e90d6bdf095b
Link:
https://www.unpac.me/results/7fbb72f0-74e9-4e08-81e2-8af6b34e985c/
SH256 hash:
1ef7bd7eb5072a52e9e63dab1a6633413a19768ea84bf248868239b087f0900f
MD5 hash:
0f20d5607826e14b4b13809f1d85a1fa
SHA1 hash:
bbc97246613ee16ffe1c5139b97a44b8f80b7d49
Link:
https://www.unpac.me/results/7fbb72f0-74e9-4e08-81e2-8af6b34e985c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1ef7bd7eb507/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/1ef7bd7eb5072a52e9e63dab1a6633413a19768ea84bf248868239b087f0900f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1ef7bd7eb5072a52e9e63dab1a6633413a19768ea84bf248868239b087f0900f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241891/

Comments