MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2494c4777a655ce4fe748567a8f0b77e86bddda01f6965d6a3e4012241ba3582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2494c4777a655ce4fe748567a8f0b77e86bddda01f6965d6a3e4012241ba3582
SHA3-384 hash: dbb8620a2b2ed8f49032bae2c72eff9e2a37059376ccdf9291598fd67d6f89b9bed7aa172d0811e3676df2143455500b
SHA1 hash: 64c9bc4eee1f0b01a2ce1aab36d961e960837531
MD5 hash: 2a3116088b3fdecea999d1f3574feb74
humanhash: one-wolfram-march-cola
File name:2a3116088b3fdecea999d1f3574feb74.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'245'696 bytes
First seen:2021-07-07 15:48:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:eyelDHdaLNFrubZ3mJaEJ/TSTrnYbCug20biYuWOBfWlB:gHdmNFrCZ3WZTdCVJbiBBBE
Threatray 6'233 similar samples on MalwareBazaar
TLSH T12E45DF3920338A92CEAFC7FA4775151E4FACAFFE9047B6742894707900F4B5E4A5192B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2a3116088b3fdecea999d1f3574feb74.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-07 15:52:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40713c12-2228-4b62-960d-575ad9ea20ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170227/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DLO-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ab82705-9aa4-4b02-8e53-3b998634f436
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812981
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445392 Sample: 71q14am5gY.exe Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 31 www.wwwgooutdoors.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 5 other signatures 2->45 11 71q14am5gY.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\71q14am5gY.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 71q14am5gY.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 sbsfe-p8.geo.mf0.yahoodns.net 98.137.244.37, 49773, 80 YAHOO-GQ1US United States 18->33 35 www.zaaaang.com 154.207.35.108, 49766, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->35 37 12 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2494c4777a655ce4fe748567a8f0b77e86bddda01f6965d6a3e4012241ba3582/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 09:36:30 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
044a48e38a2ce6f76042fae04889fb81e2563933d63c28532b4dba27b7599add
Formbook
12c961f1b5f752a22c1a3085fc2447749572fbcb35b3c6e46f6fa310b19572b7
Formbook
1f608cb60e33615fb8a94a9d240d27cf99bbe344e24a486ed3311623611930a0
Formbook
22ae731061f7359c7467be0f7a710013516ed356a79b2e23adec7c57a12624a2
Formbook
2dd1a191789c0c1c524360cb9750eb20280de0afbc9f1830a75557dd47988808
Formbook
8241caa4d6c5a09290864492d19dee143f0f80074d370135c0f91bad01c16ee3
Formbook
8ea636d851faf7ce0769fbbe7856659d0eb6638353df90e0c93f461ac3a932be
Formbook
d62c650fa302858696ef4a99776b1b7f95174bd3d73f341ffb5faa4e161d665b
Formbook
e1fee7ee20f6d3bd6e913baeae737c558014454223d552c125c3f963e7c1a843
Formbook
ebb6267e5c3bf10ec8ccba29d6fd2c7b747cef8b758db1544caf9edc7f117d7b
Formbook
+ 6'223 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210707-psvxrf2hma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.cryptonecronomicon.com/c24q/
Unpacked files
SH256 hash:
4cf5d958132621c60a45f46fe90c7f491436efe8b92fef437af6f9157eeec451
MD5 hash:
b5c42600a48487cbff934aff46f47778
SHA1 hash:
7c7f4ed68c1ca55bf1f6f268230204671997d60a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8a3ec639-a65e-463f-8f24-c1874c8a3785/
Parent samples :
2494c4777a655ce4fe748567a8f0b77e86bddda01f6965d6a3e4012241ba3582
5305b71cf4cda775dcf02131273c6c774ff2784486157e646a5b6875a4e7ad2a
SH256 hash:
74655f8bd82d96a31b00b8bb0cc61d604b92cd72ba522424886d7254267d87c6
MD5 hash:
89f25a16f80859a3c13a32ac9357789c
SHA1 hash:
5bb5977fc6ecbf1b454024054514e54f6faead67
Link:
https://www.unpac.me/results/8a3ec639-a65e-463f-8f24-c1874c8a3785/
SH256 hash:
0189dc4eb51f56500d2dcbd0702eecd234f872c00c0384b7f266c97f090ac1de
MD5 hash:
d06d85b643387fd23a36625ef0c1df1b
SHA1 hash:
47a45551ff1072499192c481e8a24906d1e316de
Link:
https://www.unpac.me/results/8a3ec639-a65e-463f-8f24-c1874c8a3785/
SH256 hash:
2494c4777a655ce4fe748567a8f0b77e86bddda01f6965d6a3e4012241ba3582
MD5 hash:
2a3116088b3fdecea999d1f3574feb74
SHA1 hash:
64c9bc4eee1f0b01a2ce1aab36d961e960837531
Link:
https://www.unpac.me/results/8a3ec639-a65e-463f-8f24-c1874c8a3785/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/2494c4777a655ce4fe748567a8f0b77e86bddda01f6965d6a3e4012241ba3582

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2494c4777a655ce4fe748567a8f0b77e86bddda01f6965d6a3e4012241ba3582

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1431205/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170227/

Comments