MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 306f86752e3ae1a4baa4687d06759b43cbcb47a6ded4073b2e066b72ac4054ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 306f86752e3ae1a4baa4687d06759b43cbcb47a6ded4073b2e066b72ac4054ce
SHA3-384 hash: 0ad76a14ce059f22a208d9046425360b6b88a66d44e0f287879507cab9de714225d79e156b84e8c036be855e4f66abba
SHA1 hash: 7900bac42d67d209fcd386627bb02e5e3c0ff2af
MD5 hash: 159eb5786f4b17721261d1b33e1aae08
humanhash: yellow-nuts-sweet-five
File name:159eb5786f4b17721261d1b33e1aae08.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:524'288 bytes
First seen:2021-09-22 12:07:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:WjmtiK5ov1b7Pqt1G1V+EoA5vcNSDuYuDuQ0XRF:Q+Fov1b77toA5owB39F
Threatray 9'471 similar samples on MalwareBazaar
TLSH T139B4127D8B9C5A3FC2ED8AFD14201242AFB5F0167AC5F795DCE0309A6B523E8401796E
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
159eb5786f4b17721261d1b33e1aae08.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-22 12:11:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/93bec13f-2e64-47e1-8a76-6d2699bd146c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190142/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d015e90b-215a-4cc6-8a2f-fe3c66f2f232
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856033
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488465 Sample: HTTZjeZnq9.exe Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 HTTZjeZnq9.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\HTTZjeZnq9.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 HTTZjeZnq9.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.hoshibanamogurablog.com 17->30 32 www.hoshibanamogurablog.com 118.27.122.217, 49789, 80 INTERQGMOInternetIncJP Japan 17->32 34 8 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 WWAHost.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/306f86752e3ae1a4baa4687d06759b43cbcb47a6ded4073b2e066b72ac4054ce/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 12:08:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
3f5c235293cfdde26a725b19b3cbaefc44dae026b7dff9124002f42e564df18b
Formbook
4eb131114c2b67395cff2f126c699a569e6ba5e3a53876f79588dfa0924b3d7e
Formbook
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
Formbook
768252369536d1e56aad57c5015925ec464642d13d76468db72e60f9ac4e1a54
Formbook
774c08451198a951fa73f9859b5e48c12c5df9214759e4717e56d92fb4c09d1e
Formbook
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
Formbook
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb
Formbook
fa9bd0ededa6a35bd948c884848855568c1efd4e77bd2ca7786144f81d3f64c5
Formbook
+ 9'461 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n092 loader rat
Link:
https://tria.ge/reports/210922-paxg5scea4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.awbnmnmammmamnre.top/n092/
Unpacked files
SH256 hash:
aa5cb7cc29d2e9b013c0d2f4635ada8345cd497080a13311f726f7fd8163de77
MD5 hash:
442ccc8222893c61da9a4d3c943ea347
SHA1 hash:
0b3325aa107f9f7494b30ab0937fe01e74570fe5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/381714bf-d2a4-4218-aa2f-ad34579a6266/
Parent samples :
fa9bd0ededa6a35bd948c884848855568c1efd4e77bd2ca7786144f81d3f64c5
3f5c235293cfdde26a725b19b3cbaefc44dae026b7dff9124002f42e564df18b
306f86752e3ae1a4baa4687d06759b43cbcb47a6ded4073b2e066b72ac4054ce
8f7fa187226287ba3a8858e75b00b021022fbfbc8f1f7ae01557cf692510fe00
071ff0663683acd797626d877df6a388efed518c61ab3c083034c27841a6742e
88a493516a6037955cefbfa462f2db1272f621053e3f08dd18f5a0882904a6b1
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/381714bf-d2a4-4218-aa2f-ad34579a6266/
SH256 hash:
31344a3e99844ff0c570aad40457a46209587b6cd3598a2e05276681dabfa262
MD5 hash:
a1dde35dad5f595bd0016db9f5f9d275
SHA1 hash:
b174a58860eacc810c4012793b2aa6971d993ad4
Link:
https://www.unpac.me/results/381714bf-d2a4-4218-aa2f-ad34579a6266/
SH256 hash:
ad04385f2e561059b3030787983453df7624debcbb8d7a94d14e332b64041c2b
MD5 hash:
0633d70fd274d8eae31a9fd25e887347
SHA1 hash:
82d30023e03fc3e9e6f3ea07fe17583c4da5759f
Link:
https://www.unpac.me/results/381714bf-d2a4-4218-aa2f-ad34579a6266/
SH256 hash:
306f86752e3ae1a4baa4687d06759b43cbcb47a6ded4073b2e066b72ac4054ce
MD5 hash:
159eb5786f4b17721261d1b33e1aae08
SHA1 hash:
7900bac42d67d209fcd386627bb02e5e3c0ff2af
Link:
https://www.unpac.me/results/381714bf-d2a4-4218-aa2f-ad34579a6266/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/306f86752e3ae1a4baa4687d06759b43cbcb47a6ded4073b2e066b72ac4054ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 306f86752e3ae1a4baa4687d06759b43cbcb47a6ded4073b2e066b72ac4054ce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1635438/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190142/

Comments