MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1
SHA3-384 hash: b7fad73939320266ccaf4e252f88682de444c5420330aae46f6de69f8de3f5973c1a45589a5428600618236998f70cdf
SHA1 hash: 488a278e74f451b661e59fda69473232669b89ee
MD5 hash: e1be4d5a120b60f3e06225f7e8bbccd2
humanhash: uranus-fanta-social-leopard
File name:e1be4d5a120b60f3e06225f7e8bbccd2
Download: download sample
Signature Formbook
Create hunting rule
File size:611'328 bytes
First seen:2021-09-30 19:44:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:6v10RTfv3LlllInfVWnabNtibkMMgJKsUAzyIfZGN92g2LTalV9qLbJV:42n7llWnsaQkMaOffZE92g2LelV9
Threatray 9'853 similar samples on MalwareBazaar
TLSH T1CDD4842C36444A62EC0EE47099800925BF270F9332F8A582D7DB78CAA79F555FFC4E95
File icon (PE):PE icon
dhash icon c4c4f4e4d8d8603c (1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e1be4d5a120b60f3e06225f7e8bbccd2
Verdict:
Suspicious activity
Analysis date:
2021-09-30 19:55:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c615bf81-3a0b-42a2-bbd5-8553923ec0d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193781/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37690373.21470.8635.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.37690373.12641.25257.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea45aef8-cfba-4d61-b10f-332b0ff30fe8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862270
Signature
Antivirus detection for URL or domain
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494697 Sample: 7wrbIuHmx6 Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 36 www.bjjinmei.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 6 other signatures 2->46 11 7wrbIuHmx6.exe 2 2->11         started        signatures3 process4 signatures5 56 Tries to delay execution (extensive OutputDebugStringW loop) 11->56 58 Tries to detect virtualization through RDTSC time measurements 11->58 60 Injects a PE file into a foreign processes 11->60 14 7wrbIuHmx6.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.simpeltattofor.men 103.224.182.210, 49844, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->30 32 murdabudz.com 160.153.136.3, 49836, 80 GODADDY-AMSDE United States 17->32 34 10 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 wlanext.exe 17->21         started        24 autoconv.exe 17->24         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 06:57:21 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c22acaa973cbb781aea92dc1fb5a8c7cc1fd2abd403f2a6b9703f8f1e1c8657
Formbook
129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92
Formbook
1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
Formbook
50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a
Formbook
64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025
Formbook
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c
Formbook
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
Formbook
87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e
Formbook
a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a
Formbook
d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2
Formbook
+ 9'843 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:mjyv loader rat
Link:
https://tria.ge/reports/210930-ygds2saecl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.simpeltattofor.men/mjyv/
Unpacked files
SH256 hash:
5504a5d754cf7b84da550e9f14d30817fd8f5dd98753701d9ec7516d92b015bc
MD5 hash:
7ad3ea0dcbe73bb9445199f99d4d4222
SHA1 hash:
fb4a26a6870e88a5d15cf593b915aa01ddd6ca8e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2a474d8-0b54-4ed7-99fd-5c1ed75bbd4f/
Parent samples :
83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a
1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1
b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a
SH256 hash:
1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1
MD5 hash:
e1be4d5a120b60f3e06225f7e8bbccd2
SHA1 hash:
488a278e74f451b661e59fda69473232669b89ee
Link:
https://www.unpac.me/results/b2a474d8-0b54-4ed7-99fd-5c1ed75bbd4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193781/
  
URLhaus
https://urlhaus.abuse.ch/url/1649470/

Comments


Avatar
zbet commented on 2021-09-30 19:44:52 UTC

url : hxxp://31.210.20.22/xxm/oii.exe