MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257
SHA3-384 hash: c72c1bb51b9faf0256485d03f5e8ff60eb4cc7c8f481ae76aea91222b37fcfbe9a25e30456cdf423200c2571de6c0749
SHA1 hash: d3cfe3ed1506892a375f49ff94e91bbbd498bf0f
MD5 hash: a87d64469ed6b47492d02f0b5d3f9a8c
humanhash: summer-robert-montana-football
File name:a87d64469ed6b47492d02f0b5d3f9a8c
Download: download sample
Signature Formbook
Create hunting rule
File size:472'064 bytes
First seen:2022-06-17 10:11:36 UTC
Last seen:2022-06-20 15:04:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:bAejjFX7k8EoyouCnVK9tIDUSsv0YKtMpL:bl28EaucVJYv0YKtc
TLSH T19CA412C076FC5B32DEEDAFFA94D1285403B1A63A3226E3995CC031DA5A27B009754F5B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 3092b27070b29230 (6 x Formbook, 5 x Loki, 3 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257.zip
Verdict:
Suspicious activity
Analysis date:
2022-06-17 16:47:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/542328e7-d5f9-4650-aee3-da946b7b8c2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/280949/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.19314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62ac53770200c8597b342026/reports/ca44ee86-65c7-4c7c-bbac-aa6d369befec/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b36ddaba-f869-40d5-adc6-18eac8115c9d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1015114
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 647605 Sample: 0B4AjKJPTX Startdate: 17/06/2022 Architecture: WINDOWS Score: 96 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus detection for URL or domain 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 6 other signatures 2->25 6 0B4AjKJPTX.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\0B4AjKJPTX.exe.log, ASCII 6->17 dropped 9 0B4AjKJPTX.exe 6->9         started        11 0B4AjKJPTX.exe 6->11         started        13 0B4AjKJPTX.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2022-06-17 10:12:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hejtm4bnap7wwbhx2afrcckjynjeh6l52srzhy3nkojij6mpijlq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:qg2u loader rat
Link:
https://tria.ge/reports/220617-l8hj4aeaf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
17ad3012d1f9ba27f8b4de3af8596317b1c33063a7a7dfa14a8460c09b64a002
MD5 hash:
5ede74b800a40f83c121445b86f2df31
SHA1 hash:
5d3da8548ea6cb2040a1e43b0241df49c2e4f937
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b6d49def-9697-40bc-9469-26d45024515f/
Parent samples :
05836044e187c21b4be34aa2d1b28f2ee1179a95e4cdf673774cf4451327d706
14e33c808b632f5e4e6e94dc332135dfd337b01eff777b20230790348b63754e
d5a4c9a06e2f17b5ceb734fa1d33b25c6c519b0b2b5ae0bd29b0e75fc86364c3
358769e50fdda092bbae4944f6c3a3db3cde967af3936c4dca22dc578727447d
391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257
734df837521bfb39c8c047bda85b13579a12d4e69badee243220776e135b41ff
44dc06aa721890ac132139234338f8d5a04a10994e462df08c7c43212f7c2bdf
ce43600b741bcb0a016975e4e276cc89c9553efd2cf65359d3cc5f0b24415f81
SH256 hash:
04860ea318fa307efbd465252d577dfa483b7ca60e2158ddea84ef8532325714
MD5 hash:
0819101d53e40e927170c9f42c53db2d
SHA1 hash:
ffbf221b3d147530596c16b40e195ed0ddab7eb7
Link:
https://www.unpac.me/results/b6d49def-9697-40bc-9469-26d45024515f/
SH256 hash:
42887627fd994e4edc23cc763d49c0476b16cde3292f062d008489736aec4125
MD5 hash:
7c692c84653edbaabccfb77ab598dc86
SHA1 hash:
75d6a8dda339de7146b1ad32b22632863c2ba7c0
Link:
https://www.unpac.me/results/b6d49def-9697-40bc-9469-26d45024515f/
SH256 hash:
84238dc32dc2c72716d7233f509b43a45617e2a24ca07eecda58ae37a704b90b
MD5 hash:
1d6115ad56b1707c8afa1a65f22afc96
SHA1 hash:
58cbf25298e84cf9d91da78ae370ac5ddbb2c3fd
Link:
https://www.unpac.me/results/b6d49def-9697-40bc-9469-26d45024515f/
SH256 hash:
391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257
MD5 hash:
a87d64469ed6b47492d02f0b5d3f9a8c
SHA1 hash:
d3cfe3ed1506892a375f49ff94e91bbbd498bf0f
Link:
https://www.unpac.me/results/b6d49def-9697-40bc-9469-26d45024515f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2242010/
Cape
Cape
https://www.capesandbox.com/analysis/280949/

Comments


Avatar
zbet commented on 2022-06-17 10:11:40 UTC

url : hxxp://172.245.163.174/eke%20file/eke%20%20file.exe