MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849
SHA3-384 hash: 48e385aa3b334ad0d46f7708a43f975603dd226a6ecd885c03502afb493abeb74787ca6dda88432d0faebe768e7dcff7
SHA1 hash: 7f8f0bbd941bc101a114220e4f296bd58a96a494
MD5 hash: 1f9db0137245508d4ad475170c4811f5
humanhash: social-wyoming-queen-magazine
File name:SKMCTB_报价请求 37746746363463434783647.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:593'408 bytes
First seen:2021-09-01 10:12:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 12288:mXe9PPlowWX0t6mOQwg1Qd15CcYk0We1k/IPlFQ7HqOq4RfjQtjgZSFyG11:7hloDX0XOf4uwtFjKRfjcgZSFB11
Threatray 8'764 similar samples on MalwareBazaar
TLSH T115C42325BDED0CD9F5FA90F79EC84F79241D76D70C210BACB098DD686D95A132CA08E2
dhash icon 74f4f090cae4e8e0 (5 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKMCTB_报价请求 37746746363463434783647.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 10:14:49 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/259df1bc-eb45-4fa5-9d99-47faefae4ec2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Noon-9888778-0
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware1.26871.13679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Unauthorized injection to a recently created process
DNS request
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09b8c95c-baca-498d-a5ce-0666f3f63e6f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843243
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 475674 Sample: SKMCTB_#U62a5#U4ef7#U8bf7#U... Startdate: 01/09/2021 Architecture: WINDOWS Score: 100 34 www.sarahdutra.com 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 11 SKMCTB_#U62a5#U4ef7#U8bf7#U6c42 37746746363463434783647.exe 3 2->11         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 11->54 14 SKMCTB_#U62a5#U4ef7#U8bf7#U6c42 37746746363463434783647.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 28 dreambuildarchitect.com 103.50.162.153, 49726, 80 PUBLIC-DOMAIN-REGISTRYUS India 17->28 30 lacasitadeeithne.com 5.135.185.231, 49724, 80 OVHFR France 17->30 32 13 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 05:17:01 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etlzwl2kfk5fdarxgq5xxffyc72r3yfpyhsaenveyjtwk6yrhbeq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1575d06ca2a52c1ff60058d6fba43712c2926ecd3f640710ed8f96ec3aaf57da
Formbook
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67
Formbook
2f36f2e2951a2540ab138afc8ac70f8bb37b83f01199434e247aa6716e1eb47a
Formbook
64550a0d3d1c28b1ec50006327a707b7287997aa7ca146153440935a033ccb97
Formbook
70e7c5966ac86d48e0519f9b2b34703d2915b603836f4de0be2a2badddd258e7
Formbook
8d56e8c41d8094151017ec3cecc40b5aa78edb0d955d39f3c68c3d211fbcb65a
Formbook
92976a7ee61468fb88761dfa0f9cfdf99b6c6c484ae47e970986acf66926f3a0
Formbook
a08bf89a7e4c15fb33684e268199df85727a6ab759a1d7f3d5ba2b7a0e49f17a
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
d99804145213694ea4b93c8acb43bf14d712b2043c247c703f88ebc97bf9c8d8
Formbook
+ 8'754 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ftgq loader rat suricata upx
Link:
https://tria.ge/reports/210901-kzxpd31hy2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.mambomakaya.com/ftgq/
Unpacked files
SH256 hash:
bbc3a0025b214037b27d5667bebcdcfb103c64daafd22745cb47102a6a6ca115
MD5 hash:
46b34b67fa5dc5cc6a1b3d90a9508121
SHA1 hash:
9e84c6bbcf8548cb28f9f5231c295f2d036051b4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5319572d-0899-4808-a5a4-0397f00af495/
Parent samples :
bc42a2014018e4644194a651f1a42916d2bd62154adda1e05ed3b5847a50317d
3643c16e7017696ca2809399d3edbf2f7f7298e4ef3246951fac256e86176716
0b79991d57a301d4cdf1d4cf7234d2ad5afe5a3895e75b9c12d4bd16a385389a
92976a7ee61468fb88761dfa0f9cfdf99b6c6c484ae47e970986acf66926f3a0
454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a
e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989
f515599d9ab7045656d0976c3aa5740feab68f862fa2e339379a1118f8ccba4a
8dec5ed95d3ca077bb1c2695074877a7160f97960df22a119d9f2debfb18dc0b
598a6fc7c9e91a6ce28af2833cb0e6262f28fab605fcd74098fc2edf9510b58f
24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849
SH256 hash:
599fb0f5a71387d747dbbf5a447489e273ef45e90210479bedc68ecfa71e0e8a
MD5 hash:
de911426a97e0af3280d41cffa6bb4e7
SHA1 hash:
f81a992727c2c084810748edc5d20f4746104939
Link:
https://www.unpac.me/results/5319572d-0899-4808-a5a4-0397f00af495/
SH256 hash:
24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849
MD5 hash:
1f9db0137245508d4ad475170c4811f5
SHA1 hash:
7f8f0bbd941bc101a114220e4f296bd58a96a494
Link:
https://www.unpac.me/results/5319572d-0899-4808-a5a4-0397f00af495/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849

File information

The table below shows additional information about this malware sample such as delivery method and external references.

47572eacc95505735a27de18e76e995c10c57aa94fb54c615143d0e110cdaebe

Formbook

Executable exe 24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849

(this sample)

  
Dropped by
SHA256 47572eacc95505735a27de18e76e995c10c57aa94fb54c615143d0e110cdaebe
  
Delivery method
Distributed via e-mail attachment

Comments