MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a
SHA3-384 hash: 827b5ce0d816afa50048ac8fc55dd3c8ca96d60d29d782965d2cdecf87d112e9c98fcf8f1a1656d1c1c773dda98f0010
SHA1 hash: 37e70527d40c881115036ae2de66e3685d3a8f10
MD5 hash: 7692a9ecc1b4d092387cffe6faa8d762
humanhash: fourteen-thirteen-shade-one
File name:SNO22 PriceLetter595406_RACX-159814.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:382'464 bytes
First seen:2022-01-20 10:31:33 UTC
Last seen:2022-01-20 14:02:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:NwQDqLF3nNxWcZd/GD2LqkIpIwExxDYAFaaC8jd20SgEV0UtLXoRGlBgWIYxSd:9ctzWCd/CWiIwE7nRJM0ShdD/Be
Threatray 12'816 similar samples on MalwareBazaar
TLSH T1CF841211B7FA271AE6BA87F0A535504413BA7E6B1132E31C4E9630DE19B3B82D751B33
Reporter ankit_anubhav
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221035/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1165.2953.659.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed print.exe update.exe
Link:
https://www.filescan.io/uploads/61e93a280f8c757253d0259d/reports/9ece9729-d6e3-4126-ace5-e6c6506dc936/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4de5ea1-039c-47ee-860c-d61ee127a74c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924329
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556802 Sample: SNO22 PriceLetter595406_RAC... Startdate: 20/01/2022 Architecture: WINDOWS Score: 100 34 www.trashbinwasher.com 2->34 36 www.psidsamor.com 2->36 38 8 other IPs or domains 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 11 other signatures 2->48 11 SNO22 PriceLetter595406_RACX-159814.exe 3 2->11         started        signatures3 process4 file5 32 SNO22 PriceLetter5...RACX-159814.exe.log, ASCII 11->32 dropped 58 Injects a PE file into a foreign processes 11->58 15 SNO22 PriceLetter595406_RACX-159814.exe 11->15         started        signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 15->60 62 Maps a DLL or memory area into another process 15->62 64 Sample uses process hollowing technique 15->64 66 Queues an APC in another process (thread injection) 15->66 18 explorer.exe 15->18 injected process9 process10 20 svchost.exe 18->20         started        23 autoconv.exe 18->23         started        signatures11 50 Self deletion via cmd delete 20->50 52 Modifies the context of a thread in another process (thread injection) 20->52 54 Maps a DLL or memory area into another process 20->54 56 Tries to detect virtualization through RDTSC time measurements 20->56 25 explorer.exe 1 156 20->25         started        28 cmd.exe 1 20->28         started        process12 dnsIp13 40 192.168.2.1 unknown unknown 25->40 30 conhost.exe 28->30         started        process14
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 10:32:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=elefe7cvuuxvmzj6hc7r6ln4rtgankypbkywq6itr4yag63rbmfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0450f9017a4e7556c6bbfa5e69363ed935e11fa47efff5755b172103b3b59892
Formbook
52b3b8d10c143dd7b6dfc186bf1e1e0e3c47c3f995dec4e1e4f5f569075d9a38
Formbook
5d407049f81d3b75bf2d9eb7dc14662f533b1ca37d283e5ef50e001a7ac1f758
Formbook
5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9
Formbook
86df15ac78abc1d224a4249db72d29dcb2979fd0669a15c0d291e47648dc0c1c
Formbook
87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e
Formbook
996cc6827a24a8d9ecce1b82269dbbfefd30142f72de61e723173422121c892d
Formbook
dd4d4174a3dc3aa9f5ebff021eb9e561b6e22197d84d4611c6bd83c6cf9ac875
Formbook
+ 12'806 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p8ce loader persistence rat suricata
Link:
https://tria.ge/reports/220120-mky3lshfaq/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Sets service image path in registry
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
ccb5f0b543560f4a5cd65e4b22502bf80ddc82c8e3eb184acc28a28bc844b4b5
MD5 hash:
4ebd9d3b5bb46e5e601cc40aa605bbfa
SHA1 hash:
e6a285910a8a34c50543a1630c28a15f7d1a2752
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e52d126c-bca5-430d-8582-678009fef5dc/
Parent samples :
4724b55ca938b0bbdc393ddfecec9ccad30b911490e9fc1922546596526cdb04
22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a
d80d56cfde862aefb9ea4a4195b12cafc5e93f60bb13d2e1a8a1a5b6fe49d9c5
58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b
af662c52d97d2590fa9a275d02feaf5aab3c18365e002a288efd862bd09aa6b4
SH256 hash:
793955e5a4830d885a085ea7df1b121d87b99dc6565a55418f98a087f225ac58
MD5 hash:
fbfe9571d560411d7c66fe918184435f
SHA1 hash:
74cc27402e9b23206a14746b00b490ace299f182
Link:
https://www.unpac.me/results/e52d126c-bca5-430d-8582-678009fef5dc/
SH256 hash:
8b25188a1581753b0faa89a7e371d2cc852fd95635b8503b6b20a4263af486e8
MD5 hash:
384cab014157440d3c462a97689e40ff
SHA1 hash:
4b91e7dfd574e04db14d2e3223df9327a5b95ba2
Link:
https://www.unpac.me/results/e52d126c-bca5-430d-8582-678009fef5dc/
SH256 hash:
22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a
MD5 hash:
7692a9ecc1b4d092387cffe6faa8d762
SHA1 hash:
37e70527d40c881115036ae2de66e3685d3a8f10
Link:
https://www.unpac.me/results/e52d126c-bca5-430d-8582-678009fef5dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221035/

Comments