MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2289ed4365f6de6fbfc6b2faa52cc0e0e4f898468ba079b3f58e29d9a73e49c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2289ed4365f6de6fbfc6b2faa52cc0e0e4f898468ba079b3f58e29d9a73e49c7
SHA3-384 hash: 75b9b2321f4c3ece828dc0de75e277d1320830f45f482756cac99f2f5a5c79d8c32c9ffe3a37f583f3556dae79304dd8
SHA1 hash: f71d913a603139af9e59fbd2aa462a834e929dfd
MD5 hash: 73c3916832698d6d47cde8593d7816f8
humanhash: coffee-neptune-cat-nineteen
File name:73c3916832698d6d47cde8593d7816f8
Download: download sample
Signature Formbook
Create hunting rule
File size:804'352 bytes
First seen:2021-08-16 12:55:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:G0GGGGGGGGGGGGGGGGGGGGDGGGGGGGGGGGGGGGGGGGGGiGGGGGGGGGGGGGUGGDv0:G0GGGGGGGGGGGGGGGGGGGGDGGGGGGGGD
TLSH T15005CF7170A78696F61F8A742178BD5003B131F3E9D699390B5A614ACFEDE983F4820F
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shipping documents.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-16 12:11:56 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/38673f0b-bec8-4873-b2d5-c70784f9cfe0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179552/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fadc74b-8c5c-4082-89a9-ded8ce46182f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833523
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465954 Sample: p7hsS6PC5s Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 32 www.lauded.world 2->32 34 www.hausoftempo.com 2->34 36 2 other IPs or domains 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 6 other signatures 2->52 11 p7hsS6PC5s.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\p7hsS6PC5s.exe.log, ASCII 11->30 dropped 62 Tries to detect virtualization through RDTSC time measurements 11->62 15 p7hsS6PC5s.exe 11->15         started        signatures6 process7 signatures8 64 Modifies the context of a thread in another process (thread injection) 15->64 66 Maps a DLL or memory area into another process 15->66 68 Sample uses process hollowing technique 15->68 70 Queues an APC in another process (thread injection) 15->70 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.china-zhongzhi.com 45.192.251.62, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 18->38 40 www.drmarshaskinner.com 104.21.95.214, 49728, 80 CLOUDFLARENETUS United States 18->40 42 4 other IPs or domains 18->42 54 System process connects to network (likely due to code injection or exploit) 18->54 22 control.exe 12 18->22         started        signatures11 process12 dnsIp13 44 www.china-zhongzhi.com 22->44 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2289ed4365f6de6fbfc6b2faa52cc0e0e4f898468ba079b3f58e29d9a73e49c7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 12:56:09 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eke62q3f63pg7p6gwl5kklga4dsprgcgroqhtm7vryu5tjz6jhdq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ixwn loader rat
Link:
https://tria.ge/reports/210816-la128q5lqa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.fevvwji.icu/ixwn/
Unpacked files
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/4a34271b-2fa5-4c9e-807e-a771841b4bd2/
SH256 hash:
1dfdf031b4e331a4ec8ad80cc29fbc7d8c55519b6b29a1b2f73c8bc52bee5db4
MD5 hash:
b8dd51661c94f26a6ff666e3195b0c77
SHA1 hash:
f57b82d6b0328d0403abbd41e156f832d125b942
Link:
https://www.unpac.me/results/4a34271b-2fa5-4c9e-807e-a771841b4bd2/
SH256 hash:
40875325c8de30360d933cac72cc7f79eb72b3bed993b1a3d153c970dc0c1a82
MD5 hash:
0761fe3886492a1428863ffd1487c562
SHA1 hash:
3230f2b55bce854edaaf6852c57742a3a9884569
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4a34271b-2fa5-4c9e-807e-a771841b4bd2/
Parent samples :
db49dbfeed349b8c5ac59aab65bd065a7e9d90a1a45bcee96301fae6cfd508ef
ebceba62910d7167907d9ece3bdce1dacdf778e82d07801478e0240621100b25
2289ed4365f6de6fbfc6b2faa52cc0e0e4f898468ba079b3f58e29d9a73e49c7
SH256 hash:
2289ed4365f6de6fbfc6b2faa52cc0e0e4f898468ba079b3f58e29d9a73e49c7
MD5 hash:
73c3916832698d6d47cde8593d7816f8
SHA1 hash:
f71d913a603139af9e59fbd2aa462a834e929dfd
Link:
https://www.unpac.me/results/4a34271b-2fa5-4c9e-807e-a771841b4bd2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2289ed4365f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/2289ed4365f6de6fbfc6b2faa52cc0e0e4f898468ba079b3f58e29d9a73e49c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2289ed4365f6de6fbfc6b2faa52cc0e0e4f898468ba079b3f58e29d9a73e49c7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1538942/
Cape
Cape
https://www.capesandbox.com/analysis/179552/

Comments


Avatar
zbet commented on 2021-08-16 12:55:38 UTC

url : hxxp://202.55.133.158/Resource/.wininit.exe