MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22a6bcf4a037a4ce39127fdb0cb4f8995f647e26318d857939978679342e9494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22a6bcf4a037a4ce39127fdb0cb4f8995f647e26318d857939978679342e9494
SHA3-384 hash: 0c28a483523c912d8ecffb16451491dae80a9debc56b4f6582fc78e34311933b81068eba64ceec44af89f8b80d56675d
SHA1 hash: c62e7938b912cefd6a0c96d76ab896b51d4a9c88
MD5 hash: da46caac984b88d68a8168413bd77e58
humanhash: delaware-green-cat-football
File name:da46caac984b88d68a8168413bd77e58.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:650'752 bytes
First seen:2021-02-26 14:41:58 UTC
Last seen:2021-02-26 16:54:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:vEmE9ELL/R558hgvqsMrteqY0bOD7jakO6RE9XOE:rL/RIv9kmvkR+4E
Threatray 3'934 similar samples on MalwareBazaar
TLSH 05D4DF1031BA1B56D9FD4BFD0554A28423F261AFB25EE71C0EC631EB6A32B424B11F67
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da46caac984b88d68a8168413bd77e58.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-26 14:44:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2bd77586-4143-4fb5-8933-bb2f1a916b36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119433/
Detection(s):
SecuriteInfo.com.Variant.Bulz.372942.13624.10076.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/619770
Signature
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358880 Sample: LElwKuxT4D.exe Startdate: 26/02/2021 Architecture: WINDOWS Score: 100 34 www.pera-prometheus.com 2->34 36 www.cloudchefbox.com 2->36 38 cloudchefbox.com 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 3 other signatures 2->48 11 LElwKuxT4D.exe 3 2->11         started        signatures3 process4 signatures5 56 Tries to detect virtualization through RDTSC time measurements 11->56 14 LElwKuxT4D.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.bcs.digital 142.4.2.4, 49742, 80 UNIFIEDLAYER-AS-1US United States 17->28 30 fwd3.hosts.co.uk 85.233.160.22, 49752, 80 ISIONUKNamescoLimitedGB United Kingdom 17->30 32 17 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 cmmon32.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22a6bcf4a037a4ce39127fdb0cb4f8995f647e26318d857939978679342e9494/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 14:42:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c0a0e62b6945e4613b04e61cfc76b876d647b632ccf5d72d9d1e24fa967550f
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
2bec4da3283f4d9329b155c12e5ee6f5f8943bb43d9e66c1767b877b89a19063
Formbook
36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
Formbook
3a220e6bff537b270991d1bb49e530c7279fb643f8a9b5998bbefae6140a19f4
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
b8392aaf409d89fe323576fdf09bf3320094962da9812918d23bb47b3d8d53f8
Formbook
c1dc214e929541d1f9d0ede9422bf40f61f766de5e8a32bc2fb2d73a91e4a71e
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
+ 3'924 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210226-v72yxasxfs/
Unpacked files
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/20bdcb8a-da57-4560-b69f-b2867fddb5bb/
SH256 hash:
8359431838316c23ccff02fdff5e0f98f1672e98e9b579e6bca757fc5f57e1b6
MD5 hash:
e77cbca19d1050c969b9cd57a2bd6e16
SHA1 hash:
7f611f121e949f3c0a6bb2e9738178b4e1ff6038
Link:
https://www.unpac.me/results/20bdcb8a-da57-4560-b69f-b2867fddb5bb/
SH256 hash:
5b2e81f8e372114d5f270e6e60d5faff153aae86b77a6f3fa13bd4d8f601748f
MD5 hash:
2f9da0bf48f1e71ff643d844a87a2e5b
SHA1 hash:
212dea4bd6837c932b2b59fbd475794ea3c440f7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/20bdcb8a-da57-4560-b69f-b2867fddb5bb/
SH256 hash:
22a6bcf4a037a4ce39127fdb0cb4f8995f647e26318d857939978679342e9494
MD5 hash:
da46caac984b88d68a8168413bd77e58
SHA1 hash:
c62e7938b912cefd6a0c96d76ab896b51d4a9c88
Link:
https://www.unpac.me/results/20bdcb8a-da57-4560-b69f-b2867fddb5bb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119433/

Comments