MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
SHA3-384 hash: 15b1d090bc0f8ce0d76994805fcbdc67e818ac0645a66e529af56a165c610477886086c351c4114166a664eadf95f5d9
SHA1 hash: ac34c999e62735c6c117507e0fe97dbe0ff30974
MD5 hash: 8e6b004fb91c81b531eb93c36fb0544c
humanhash: victor-iowa-london-gee
File name:IMG_7189012.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:464'896 bytes
First seen:2021-02-19 14:39:37 UTC
Last seen:2021-02-19 16:59:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:kJCnJC/EMYLysUN8d5k/PrNZIec8NlgTHYDZ0dtN:hc/EMwrd5QPRZLPlgsd
Threatray 3'925 similar samples on MalwareBazaar
TLSH 86A48B0A954EC662F2673270D29361F01FA5FC92CCF0BBC7154A7E953972A6C2B31E52
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118031/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6572.11268.26149.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
DNS request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/612769
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected Beds Obfuscator
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355397 Sample: IMG_7189012.exe Startdate: 19/02/2021 Architecture: WINDOWS Score: 100 69 www.therockremodelinghome.com 2->69 71 www.themediatenow.com 2->71 73 2 other IPs or domains 2->73 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Found malware configuration 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 7 other signatures 2->105 12 IMG_7189012.exe 3 2->12         started        signatures3 process4 file5 61 C:\Users\user\AppData\...\IMG_7189012.exe.log, ASCII 12->61 dropped 15 IMG_7189012.exe 1 5 12->15         started        18 powershell.exe 15 12->18         started        process6 file7 63 C:\Users\user\AppData\...\FB_CAA1.tmp.exe, PE32 15->63 dropped 65 C:\Users\user\AppData\...\FB_C64B.tmp.exe, PE32 15->65 dropped 21 FB_CAA1.tmp.exe 15->21         started        24 FB_C64B.tmp.exe 15->24         started        67 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 18->67 dropped 89 Drops PE files to the startup folder 18->89 91 Powershell drops PE file 18->91 26 conhost.exe 18->26         started        signatures8 process9 signatures10 107 Antivirus detection for dropped file 21->107 109 Multi AV Scanner detection for dropped file 21->109 111 Machine Learning detection for dropped file 21->111 113 5 other signatures 21->113 28 explorer.exe 3 21->28 injected process11 dnsIp12 75 mercedesbenz-jakarta.com 103.253.212.114, 49739, 80 RUMAHWEB-AS-IDRumahwebIndonesiaCVID Indonesia 28->75 77 www.comriv.com 81.17.18.198, 49737, 80 PLI-ASCH Switzerland 28->77 79 17 other IPs or domains 28->79 115 System process connects to network (likely due to code injection or exploit) 28->115 32 Drivers.exe 3 28->32         started        34 msiexec.exe 28->34         started        signatures13 process14 signatures15 37 Drivers.exe 5 32->37         started        40 powershell.exe 19 32->40         started        42 Drivers.exe 32->42         started        44 Drivers.exe 32->44         started        93 Modifies the context of a thread in another process (thread injection) 34->93 95 Maps a DLL or memory area into another process 34->95 97 Tries to detect virtualization through RDTSC time measurements 34->97 46 cmd.exe 1 34->46         started        process16 file17 57 C:\Users\user\AppData\...\FB_9C69.tmp.exe, PE32 37->57 dropped 59 C:\Users\user\AppData\...\FB_8594.tmp.exe, PE32 37->59 dropped 48 FB_9C69.tmp.exe 37->48         started        51 FB_8594.tmp.exe 37->51         started        53 conhost.exe 40->53         started        55 conhost.exe 46->55         started        process18 signatures19 81 Antivirus detection for dropped file 48->81 83 Multi AV Scanner detection for dropped file 48->83 85 Machine Learning detection for dropped file 48->85 87 Tries to detect virtualization through RDTSC time measurements 48->87
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-02-19 08:56:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
16 of 48 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3nlvkcu3lefkjk3bcyjnip3ntxdt6iq366scambfigf2m5rvgbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1432f0240c91b7439722df807e35ef9b4cc9b126f3e5d42cedb27b28751118d7
Formbook
149bc7bb666f2eabcf946822bd316709ddeeef787f059687415f98c71ad47783
Formbook
170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453
Formbook
5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
8241caa4d6c5a09290864492d19dee143f0f80074d370135c0f91bad01c16ee3
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
c1dc214e929541d1f9d0ede9422bf40f61f766de5e8a32bc2fb2d73a91e4a71e
Formbook
+ 3'915 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210219-e1qya8crk2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Beds Protector Packer
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.unicom-group.com/mt6e/
Unpacked files
SH256 hash:
a66d610d255539ab4fd58adec682842d977f15c83ec141f25a2bcb03023aa27d
MD5 hash:
0121eb66a766cb27df26bb50a6cd490f
SHA1 hash:
3264af13f8319ec07ab809559ff9cec10db9d944
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d94ec5cc-05b2-4f88-a231-dc3326cb66f6/
Parent samples :
36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
80530706a080d68ebd18bcf85dae9dbe6477c39d7e4aa7381a1c73902c344201
5ffac0ac4e9b5a57bad598ef22150b9a7d5b6f09226f664d486b6e61cce69e13
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/d94ec5cc-05b2-4f88-a231-dc3326cb66f6/
SH256 hash:
7f3069f1f96f87c855fdd44ccbb63786eaa27b079dc790260ebbd56b5173ab67
MD5 hash:
43c7d6632091ff4dd4450da3433e8860
SHA1 hash:
f1f2b2af8733b8b2245c7201d98f33c3eab0cbee
Link:
https://www.unpac.me/results/d94ec5cc-05b2-4f88-a231-dc3326cb66f6/
SH256 hash:
8e65052802b23e541e9824821c9f9b6112c308cfaf6b5d032783fbba3018c7f6
MD5 hash:
1cfb87526660ba80e72b1a58948b2385
SHA1 hash:
586faf6ce1c7b9fada87a77b9d83f3b3b6100b63
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d94ec5cc-05b2-4f88-a231-dc3326cb66f6/
SH256 hash:
36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
MD5 hash:
8e6b004fb91c81b531eb93c36fb0544c
SHA1 hash:
ac34c999e62735c6c117507e0fe97dbe0ff30974
Link:
https://www.unpac.me/results/d94ec5cc-05b2-4f88-a231-dc3326cb66f6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/118031/

Comments