MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21791c7eba15ff44e84b44080fa6c85cf824afafd5d987ce18d445dc942c34a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21791c7eba15ff44e84b44080fa6c85cf824afafd5d987ce18d445dc942c34a2
SHA3-384 hash: 87a7bc833d27b7740d7cd8f8ff2e0c49aa1588ee3661b4e9e33a409bc25b74ea0b1ff30610c62992ed0fef6a0b1d49cd
SHA1 hash: baa917881d3271723bcc8b49de5837a48e8de40b
MD5 hash: 1970bbf710c8db5b20ce28d568ebe361
humanhash: cup-spring-network-lithium
File name:1970bbf710c8db5b20ce28d568ebe361
Download: download sample
Signature Formbook
Create hunting rule
File size:1'845'248 bytes
First seen:2022-03-03 09:50:54 UTC
Last seen:2022-03-03 12:17:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:8ib2QhThnsT43pEjtOXEP8kSHhj0svPFixFTXLAA1rkafZPUvN95:NITmFUEkSBjtPo7NlfZPUvL5
Threatray 11'276 similar samples on MalwareBazaar
TLSH T19985AD00A2B97616C1BE063DD0B7DC345767B6D7F77DB34A4438E6482BC228399322E6
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6be9bf24-4afc-422a-aeb6-08d9fd36f625fc8c0984-eb6e-4b8e-000c-2972a3b1909f.eml
Verdict:
Malicious activity
Analysis date:
2022-03-03 19:45:17 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/f35c228b-4e28-4be9-9015-302c06ea8dcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246924/
Detection(s):
SecuriteInfo.com.TrojanHorse.9379.19267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Adding an access-denied ACE
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Forced shutdown of a system process
Launching the process to create tasks for the scheduler
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4d3ae6a-9cea-4b69-b6f9-b56ed062383c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950071
Signature
Contains functionality to hide user accounts
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/21791c7eba15ff44e84b44080fa6c85cf824afafd5d987ce18d445dc942c34a2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 09:52:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
57f0ec5d28d0ee7481e9a465f94bf79fa5d135e9b7d1d1e8b98b70442910c7a6
Formbook
667e5e3584ef11bc6dc12e693546b3a62cb487d507379e9dc4be3a1767d80be9
Formbook
7eb60b42eb8755d31d411c32b45f7431eb9e084fb0749d92c83ffe2598b6564c
Formbook
a71e32c316d38a8ed867e32672cc48624e1e716f8a339e29dc57108216b0bc8a
Formbook
a8d57222d66a26a6ef7fe2d8eeb11a8af7ea9693afcbb31eece3519379c07784
Formbook
d63af956dec05f8f8f440cc6feedb7d8045cbe0c2953eae0c9e612af8451c57c
Formbook
ea1c7db69290a2b343646ede684b58ed96e891feab6dadbbc9909c1c245d4bf2
Formbook
+ 11'266 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:arh2 loader rat suricata
Link:
https://tria.ge/reports/220303-lvhb6scbdr/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/819652ca-040d-471b-be81-7aca0d14ae15/
SH256 hash:
b4cfb8357b1330e86aeffb9230278998ad27932c370fbf4d59af12c68b674dea
MD5 hash:
95383d174073d7b51954d1ebd4aa361f
SHA1 hash:
85a24c24da6450f614015cd2f8869f5f5b8b2210
Link:
https://www.unpac.me/results/819652ca-040d-471b-be81-7aca0d14ae15/
SH256 hash:
3ea314ccb5bd03e6acbbf58e037e0785160b33c2090b79b14da76285f345238f
MD5 hash:
4e01b61db6bf510fffe0fc29937d5b08
SHA1 hash:
c0cb0a98fd0a774f193748d9f0efd3f9e27f7a5e
Link:
https://www.unpac.me/results/819652ca-040d-471b-be81-7aca0d14ae15/
SH256 hash:
762160050ebc25c1c9c6b55da8c1453d4742cf65a08db53027c90abef1427936
MD5 hash:
53494327d463334941b5b5f6df33436f
SHA1 hash:
5154ac514f16ff0eb332bd05f709ff0c912b366c
Link:
https://www.unpac.me/results/819652ca-040d-471b-be81-7aca0d14ae15/
SH256 hash:
57dd80ff94e4263536266c8ae07f3b82ebfd1691b6196723e48471aad4ee0a5f
MD5 hash:
83bef249a10dad3859ffdda4548d0a32
SHA1 hash:
0f9ee00b9071e9bcd92a18c29c3503e2906b778b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/819652ca-040d-471b-be81-7aca0d14ae15/
SH256 hash:
21791c7eba15ff44e84b44080fa6c85cf824afafd5d987ce18d445dc942c34a2
MD5 hash:
1970bbf710c8db5b20ce28d568ebe361
SHA1 hash:
baa917881d3271723bcc8b49de5837a48e8de40b
Link:
https://www.unpac.me/results/819652ca-040d-471b-be81-7aca0d14ae15/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/21791c7eba15/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21791c7eba15ff44e84b44080fa6c85cf824afafd5d987ce18d445dc942c34a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 21791c7eba15ff44e84b44080fa6c85cf824afafd5d987ce18d445dc942c34a2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2073570/
Cape
Cape
https://www.capesandbox.com/analysis/246924/

Comments


Avatar
zbet commented on 2022-03-03 09:50:57 UTC

url : hxxp://103.167.92.57/savespace/vbc.exe