MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29175495787385b647e6982e1743e0d928e278b44554662100f53a26a4d97907. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29175495787385b647e6982e1743e0d928e278b44554662100f53a26a4d97907
SHA3-384 hash: cbb70354f45a1945f6491be6d9ae3c299339b038b43c61fb7e6464572c4ade5ee61e4df5ea468fa5b240d1b7774e6aea
SHA1 hash: 4602b1216d9e6961f2398618bc525f54b45fa4c5
MD5 hash: e8d945d2105bad763f3b1dc30f2b6142
humanhash: sink-lion-friend-vegan
File name:e8d945d2105bad763f3b1dc30f2b6142.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:404'480 bytes
First seen:2021-08-24 11:43:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dc6OW1WnXhEDWlzHW3ge7XiqtcBz5D45rY:dNoh0iHr0XiqtcBz5DY
Threatray 8'404 similar samples on MalwareBazaar
TLSH T19A84131A82E87318A277D77BFDF137CF4C97392B2AA10CEE481A9350DC64B22C5D1599
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e8d945d2105bad763f3b1dc30f2b6142.exe
Verdict:
Malicious activity
Analysis date:
2021-08-24 12:19:02 UTC
Tags:
evasion stealer trojan rat redline phishing
Link:
https://app.any.run/tasks/e4ac8d18-05fb-423a-a4a7-6801738766cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181863/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Modifying a system executable file
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/080dadd8-29c1-4e69-98ff-0f862ddac151
Result
Threat name:
FormBook RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838276
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected FormBook
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470708 Sample: tSXyqrumfM.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 86 xmr-eu1.nanopool.org 51.15.54.102, 14433, 49715 OnlineSASFR France 2->86 88 51.15.55.162, 14433, 49705 OnlineSASFR France 2->88 90 5 other IPs or domains 2->90 112 Sigma detected: Xmrig 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus / Scanner detection for submitted sample 2->116 118 15 other signatures 2->118 10 tSXyqrumfM.exe 5 2->10         started        13 services64.exe 4 2->13         started        16 svchost.exe 9 1 2->16         started        signatures3 process4 dnsIp5 76 C:\Users\user\AppData\Local\Temp\bin.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\...\JoBrowserSet 2.exe, PE32 10->78 dropped 80 C:\Users\user\AppData\Local\...\Chrome4.exe, PE32+ 10->80 dropped 82 C:\Users\user\AppData\...\tSXyqrumfM.exe.log, ASCII 10->82 dropped 19 JoBrowserSet 2.exe 15 7 10->19         started        23 Chrome4.exe 5 10->23         started        26 bin.exe 10->26         started        132 Multi AV Scanner detection for dropped file 13->132 134 Writes to foreign memory regions 13->134 136 Allocates memory in foreign processes 13->136 138 3 other signatures 13->138 28 cmd.exe 13->28         started        84 127.0.0.1 unknown unknown 16->84 file6 signatures7 process8 dnsIp9 92 2no.co 88.99.66.31, 443, 49703, 49704 HETZNER-ASDE Germany 19->92 94 webboutiquestudio.xyz 172.67.192.184, 443, 49699 CLOUDFLARENETUS United States 19->94 96 your-info-services.xyz 19->96 68 C:\Users\user\AppData\Roaming\7011871.exe, PE32 19->68 dropped 70 C:\Users\user\AppData\Roaming\4534352.exe, PE32 19->70 dropped 72 C:\Users\user\AppData\Roaming\3531363.exe, PE32 19->72 dropped 30 3531363.exe 19->30         started        34 4534352.exe 19->34         started        37 7011871.exe 19->37         started        74 C:\Users\user\AppData\...\services64.exe, PE32+ 23->74 dropped 120 Multi AV Scanner detection for dropped file 23->120 122 Machine Learning detection for dropped file 23->122 39 services64.exe 23->39         started        41 cmd.exe 1 23->41         started        124 Antivirus detection for dropped file 26->124 126 Modifies the context of a thread in another process (thread injection) 26->126 128 Maps a DLL or memory area into another process 26->128 130 2 other signatures 26->130 43 explorer.exe 3 26->43 injected 45 conhost.exe 28->45         started        47 schtasks.exe 28->47         started        file10 signatures11 process12 dnsIp13 98 deyrolorme.xyz 212.224.105.106, 49711, 49716, 49717 DE-FIRSTCOLOwwwfirst-colonetDE Germany 30->98 100 api.ip.sb 30->100 140 Multi AV Scanner detection for dropped file 30->140 142 Detected unpacking (changes PE section rights) 30->142 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->144 158 3 other signatures 30->158 62 C:\Users\user\AppData\...\WinHoster.exe, PE32 34->62 dropped 102 businessdirectory2.xyz 104.21.74.190, 443, 49706, 49718 CLOUDFLARENETUS United States 37->102 146 Performs DNS queries to domains with low reputation 37->146 104 sanctam.net 185.247.226.70, 49701, 58899 FLOKINETSC Romania 39->104 106 bitbucket.org 104.192.141.1, 443, 49702 AMAZON-02US United States 39->106 108 192.168.2.1 unknown unknown 39->108 64 C:\Users\user\AppData\...\sihost64.exe, PE32+ 39->64 dropped 66 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 39->66 dropped 148 Injects code into the Windows Explorer (explorer.exe) 39->148 150 Writes to foreign memory regions 39->150 152 Allocates memory in foreign processes 39->152 160 2 other signatures 39->160 49 sihost64.exe 39->49         started        52 cmd.exe 39->52         started        154 Uses schtasks.exe or at.exe to add and modify task schedules 41->154 54 conhost.exe 41->54         started        56 schtasks.exe 1 41->56         started        156 System process connects to network (likely due to code injection or exploit) 43->156 file14 signatures15 process16 signatures17 110 Multi AV Scanner detection for dropped file 49->110 58 conhost.exe 52->58         started        60 schtasks.exe 52->60         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29175495787385b647e6982e1743e0d928e278b44554662100f53a26a4d97907/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 11:44:19 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=felvjflyooc3mr7gtaxboq7a3euoe6fuivkgmiia6u5cnjgzpedq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14854d1ce96dcc9795941ec7248f8d2481d5649cdeecaccbfe840f259bc50bde
Formbook
1f608cb60e33615fb8a94a9d240d27cf99bbe344e24a486ed3311623611930a0
Formbook
3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632
Formbook
42081326f379275d4b731f76f2d932cd72cd2c404ed654ee281b66b08e59f6f7
Formbook
9001d75f0d0b09af013fc65992e74d4b568d166ca5837f1bf52316173b3f30d2
Formbook
abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564
Formbook
b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
f782375e80f3a68b36457886ac1c6490e2497e6c9fb3ffdb33c1679597f0770e
Formbook
+ 8'394 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xloader family:xmrig botnet:3 campaign:ec33 discovery infostealer loader miner persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/210824-qkcmznr1fe/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner Payload
Xloader Payload
RedLine
RedLine Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
xmrig
Malware Config
C2 Extraction:
http://www.chaturvedi.fyi/ec33/
deyrolorme.xyz:80
xariebelal.xyz:80
anihelardd.xyz:80
Unpacked files
SH256 hash:
fc690078733fcb88f7995a3a37e9fa36ac7fbf972f40f589dd12f248a2fd4fb1
MD5 hash:
0056bf870c518e0ead690453cbb328e6
SHA1 hash:
9009d673a468b2d6d95396119591ea61eed9948d
Link:
https://www.unpac.me/results/f3a5d353-4152-4ae0-9bbe-b89a8514b073/
SH256 hash:
4e2f6c687dd7368e38f30c8fcee1f78cb33fb7aede97783fe06d82bbbbb55cb4
MD5 hash:
e2f4ae3b60c63a5b8fd415ecdf1341fb
SHA1 hash:
70d577cba7f22ad45e63077fe30833c8dde8ee64
Link:
https://www.unpac.me/results/f3a5d353-4152-4ae0-9bbe-b89a8514b073/
SH256 hash:
a47c9bb528fd7030eaa384452e5e019179b780b68505d91017a453926cb8a4dc
MD5 hash:
4491fc9ec9e00a83e08be4c978316432
SHA1 hash:
6f15dd664c80e6db0b5e7a8c8d985cde2a11a6a7
Link:
https://www.unpac.me/results/f3a5d353-4152-4ae0-9bbe-b89a8514b073/
SH256 hash:
29175495787385b647e6982e1743e0d928e278b44554662100f53a26a4d97907
MD5 hash:
e8d945d2105bad763f3b1dc30f2b6142
SHA1 hash:
4602b1216d9e6961f2398618bc525f54b45fa4c5
Link:
https://www.unpac.me/results/f3a5d353-4152-4ae0-9bbe-b89a8514b073/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/291754957873/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29175495787385b647e6982e1743e0d928e278b44554662100f53a26a4d97907

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 29175495787385b647e6982e1743e0d928e278b44554662100f53a26a4d97907

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1536090/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181863/

Comments