MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b
SHA3-384 hash: f42d8e05c6df7a48ea3e591739b2f1f9f98863113bc069cddc47c8b477f345729c7885bbc11f654c54f1dfd9e978ada4
SHA1 hash: 909a54cd46ac529cdf650db098c7c28aca19d1f3
MD5 hash: adddf3a2c58bf1683ea1f4703025fbff
humanhash: pluto-bluebird-magazine-tango
File name:SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:448'512 bytes
First seen:2021-09-13 03:17:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:PTk4DbF53e0IUFLuv1o1D0pqxeWGM4g5Lq:zyONNGB
Threatray 9'246 similar samples on MalwareBazaar
TLSH T1F2949D242DFE5029F173AFBA9AD4B4969AAFB7333607D85D245103870B23F40DE9153A
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
Malicious activity
Analysis date:
2021-09-13 03:18:01 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6bca2a56-19ef-421c-8a05-09f3995ef7cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187176/
Detection(s):
Win.Packed.Pwsx-9892840-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6174f976db358dd15ed91343/reports/2abc1e1b-941d-449a-bbbc-5a5d3fcf3ef3/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b72c7ab3-c121-41df-8f94-30948b7bb2c9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849446
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481877 Sample: SOA.exe Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 41 www.booksbykimberlyeandco.com 2->41 43 booksbykimberlyeandco.com 2->43 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 10 other signatures 2->57 11 SOA.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming33vkXuAc.exe, PE32 11->33 dropped 35 C:\Users\user\...35vkXuAc.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmpD40F.tmp, XML 11->37 dropped 39 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 11->39 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 11->69 71 Tries to detect virtualization through RDTSC time measurements 11->71 15 SOA.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 45 samsonengineeringco.com 162.241.224.221, 49778, 80 UNIFIEDLAYER-AS-1US United States 20->45 47 www.allfyllofficial.com 50.87.144.47, 49777, 80 UNIFIEDLAYER-AS-1US United States 20->47 49 13 other IPs or domains 20->49 59 System process connects to network (likely due to code injection or exploit) 20->59 26 mstsc.exe 20->26         started        signatures11 process12 signatures13 61 Self deletion via cmd delete 26->61 63 Modifies the context of a thread in another process (thread injection) 26->63 65 Maps a DLL or memory area into another process 26->65 67 Tries to detect virtualization through RDTSC time measurements 26->67 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 01:56:39 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fswl6xw3b7vo46ksh3j5c66yvvjvfasecqrejssamjtcnovoyrvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
013ae675443decd1083ec918ee62b59dfc8b3e17e41f96f4be21c3260a2f372b
Formbook
236348545989c7d1816067f0e7bf78c80d4782e2ac28ab6d9ddbb1a2d4f71cc4
Formbook
33a9702e83888498799c0144e3a3ac06e095aa452ce066a02a3860dcd90d6bb8
Formbook
39ea098dc37c12477cdfde92cb07cf2840d907c262c582a2320ade782e01bbcf
Formbook
5ffbe2b24599383732373e34a80cd2cf864d806595d80dfc1e1ae3af83065780
Formbook
9998ff1d42d8af0fcc166bea36887eebf182e91d1816853d9f80e6cbbbaf9145
Formbook
a2e424247fbdda5f64d71340576e59efd380a71bdfcecc3da9a0e16968c4e709
Formbook
a2ea418fe212c56fabd58c09d12b825f113f613f271c52ee8cca5d70750ea12d
Formbook
bf6ae876108b5fec915d91bd36d3ccd22c8593be29412521c32a4b3f11a757f0
Formbook
e4f6934778af90c9743606ba732f32121601a3b227f5e881eba31595e67a8a05
Formbook
+ 9'236 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6cu loader rat suricata
Link:
https://tria.ge/reports/210913-dtmw9sfghn/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.allfyllofficial.com/b6cu/
Unpacked files
SH256 hash:
9f0504e928d32b48eebf9c0ff72e61751fa16482f490bba59e4e4c8eda864f3e
MD5 hash:
6a7d943c3990612f8b47f7ecc9f48cf7
SHA1 hash:
de4705788da371a53409575bc59452e2a68f647a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c88fdc19-9947-48b0-9d94-661fb238f9e0/
Parent samples :
2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b
3fd3f37912e5aa23fceb3877d6ee43c8b102410d4fc90b147aab266972939b07
a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10
1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
207dff33f6f91f114deae60a6cb3a404a5f40bc607fb6015f680c8980af7ac16
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/c88fdc19-9947-48b0-9d94-661fb238f9e0/
SH256 hash:
df7adf618b163cbdd1e0fbbbb34ffb8c653f49373ec2042b7c04cfeb8c4d57e5
MD5 hash:
bea79e55824b3697fae2a7c66a85a425
SHA1 hash:
9ea0fb2f45cd6eac5cc0c05120ca19cc8c24587f
Link:
https://www.unpac.me/results/c88fdc19-9947-48b0-9d94-661fb238f9e0/
SH256 hash:
2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b
MD5 hash:
adddf3a2c58bf1683ea1f4703025fbff
SHA1 hash:
909a54cd46ac529cdf650db098c7c28aca19d1f3
Link:
https://www.unpac.me/results/c88fdc19-9947-48b0-9d94-661fb238f9e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/187176/

Comments