MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22f8bd6d14f40adb264992b23b49be37feeefeb00ff0702bfea5662b401ff8d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22f8bd6d14f40adb264992b23b49be37feeefeb00ff0702bfea5662b401ff8d6
SHA3-384 hash: 0a62834c19b959e7740c256db35ebb384b7e353d77d336939547805d0f42880abc6657e5b6af25f5af95f79765981ce4
SHA1 hash: 505fe3318184ded249c82772cd6f3a2b61d4974a
MD5 hash: 028af3720307d853716bfa0f438a0746
humanhash: eight-purple-wyoming-island
File name:028af3720307d853716bfa0f438a0746.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:840'192 bytes
First seen:2021-08-05 18:40:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:PBKxvx2iNyC/UaTRhdWoecpeKOERq4oZ/8N6/nfYoQamRHJqDV356Rkqh2rNls9x:EX1nnR4cobsqI6/woCHJ6J6vhAq
Threatray 10'721 similar samples on MalwareBazaar
TLSH T192058D6C23FEA619F637FF31AF94E7489FA666B94215DC0E18C4020B5421D82BE67D31
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
342
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
028af3720307d853716bfa0f438a0746.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 18:44:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/60d583e1-6481-4e24-b319-4f30a73b3bcb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176811/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.924-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18aa8082-1fc1-45dc-8baa-5e05144aa41f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827650
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460079 Sample: xRvonhwbC4.exe Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 33 www.biovisionchemicalspvtltd.com 2->33 35 www.bermudesfcrasettlement.com 2->35 37 biovisionchemicalspvtltd.com 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 11 xRvonhwbC4.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\xRvonhwbC4.exe.log, ASCII 11->31 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 xRvonhwbC4.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 39 www.uukuju.com 67.229.203.195, 49751, 80 VPLSNETUS United States 18->39 41 www.safiaccountant.com 18->41 43 7 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 22 systray.exe 18->22         started        25 autochk.exe 18->25         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/22f8bd6d14f40adb264992b23b49be37feeefeb00ff0702bfea5662b401ff8d6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 15:45:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
33 of 46 (71.74%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ef48a153f8c6bb66544df3a1f3c66970439825dfc1eb61f9cb4f9a18adedbc2
Formbook
17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049
Formbook
1c464db3766010655ad5e1bac6aa6ce0e3023db1e6e139a181478679de27bdb7
Formbook
7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
Formbook
8f5dfe8e291d0fd6aa44d6b06358b1f571f9c1a6172ca2f82a2db10327d0dee8
Formbook
9663361e2770f5ec9528e179cefc03240891ea2eae54f1d55b75765b1d8aa4ef
Formbook
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
Formbook
de5a91649e654f5273032c0e524491e7ac1c6260e1140472c72b031dfe4fba91
Formbook
fefa01b761aa8ab9d5a79db0bc41cd8eaee972248cf52e4d5c2629998e9bc6e2
Formbook
+ 10'711 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:aqu2 loader rat
Link:
https://tria.ge/reports/210805-fcc7xbgkce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.all4ocean.com/aqu2/
Unpacked files
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/cfc0c7d1-2d82-4ff9-bac0-e8c9519ae445/
SH256 hash:
dc488e6f0a0bff03f2b08ce89fe63417c8ea5c5886b50eccdd2ef9896f94b848
MD5 hash:
8212bed9be58b1758828efd5d75aa68f
SHA1 hash:
1e49e06bd5deae4e8360e5ddfaa593256d01056e
Link:
https://www.unpac.me/results/cfc0c7d1-2d82-4ff9-bac0-e8c9519ae445/
SH256 hash:
be3b18076a47bb630044a58f13ab01c5dbdb804d8ea8369d5c0ccf71970615fd
MD5 hash:
1c685e7e7afeffa3a358461261d14387
SHA1 hash:
a51090785b8542955d147810204240e0e0395b46
Link:
https://www.unpac.me/results/cfc0c7d1-2d82-4ff9-bac0-e8c9519ae445/
SH256 hash:
db95231c53b5fd672bb724e31020ae54862f090578733c84f42b6294c678da60
MD5 hash:
e064e5627bdd49a4afb0f6fabb8732eb
SHA1 hash:
7ac427981a02019cf9fb38cf45b2c20e42949bef
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cfc0c7d1-2d82-4ff9-bac0-e8c9519ae445/
Parent samples :
17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049
22f8bd6d14f40adb264992b23b49be37feeefeb00ff0702bfea5662b401ff8d6
SH256 hash:
22f8bd6d14f40adb264992b23b49be37feeefeb00ff0702bfea5662b401ff8d6
MD5 hash:
028af3720307d853716bfa0f438a0746
SHA1 hash:
505fe3318184ded249c82772cd6f3a2b61d4974a
Link:
https://www.unpac.me/results/cfc0c7d1-2d82-4ff9-bac0-e8c9519ae445/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/22f8bd6d14f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/22f8bd6d14f40adb264992b23b49be37feeefeb00ff0702bfea5662b401ff8d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 22f8bd6d14f40adb264992b23b49be37feeefeb00ff0702bfea5662b401ff8d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1508981/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176811/

Comments