MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4
SHA3-384 hash: 4dfd74eedb18a32a4d333af6f0276afede102df684f449dd19f465d6f363fd5483c182ce9663c72a174f2252682b1091
SHA1 hash: e0229b402990fad0fe92db278b3f4a3ed7a9767d
MD5 hash: af158cff1deb238eb10b33b07d08a61e
humanhash: alanine-purple-blossom-high
File name:af158cff1deb238eb10b33b07d08a61e
Download: download sample
Signature Formbook
Create hunting rule
File size:484'352 bytes
First seen:2022-06-23 12:45:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:uAJkPRxliW1QrV5WIEDzS1wQ5ar370Xf+aaY53t:uAJkPRrhEVgIMEyL8F53t
TLSH T177A412A927F88729F1EB4BF905EC120427B1BA05A5C0D21ABD6601DFEE907F448D275F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 02616868e0e4e800 (8 x Formbook, 7 x Loki, 4 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282643/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62b460ca49d6271f1a787d72/reports/da9663e1-561a-476b-8bc4-134eff4bce18/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c411fc47-6bb0-4136-bbc5-d76497c91731
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1018640
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 651136 Sample: NgtGzd295M Startdate: 23/06/2022 Architecture: WINDOWS Score: 100 45 www.meghafinloan.com 2->45 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 9 other signatures 2->59 11 NgtGzd295M.exe 3 2->11         started        signatures3 process4 file5 43 C:\Users\user\AppData\...43gtGzd295M.exe.log, ASCII 11->43 dropped 75 Tries to detect virtualization through RDTSC time measurements 11->75 77 Injects a PE file into a foreign processes 11->77 15 NgtGzd295M.exe 11->15         started        18 NgtGzd295M.exe 11->18         started        20 NgtGzd295M.exe 11->20         started        signatures6 process7 signatures8 81 Modifies the context of a thread in another process (thread injection) 15->81 83 Maps a DLL or memory area into another process 15->83 85 Sample uses process hollowing technique 15->85 87 Queues an APC in another process (thread injection) 15->87 22 explorer.exe 6 15->22 injected process9 dnsIp10 47 alcostransport.com 162.241.226.76, 49809, 49810, 49811 UNIFIEDLAYER-AS-1US United States 22->47 49 madeinfrance.plus 185.221.182.223, 49794, 49795, 49796 TOLVUTHJONUSTANIS Ukraine 22->49 51 24 other IPs or domains 22->51 39 C:\Program Files (x86)\A6lip\mfcx8pxor.exe, PE32 22->39 dropped 41 C:\Users\user\AppData\Local\...\mfcx8pxor.exe, PE32 22->41 dropped 61 System process connects to network (likely due to code injection or exploit) 22->61 63 Benign windows process drops PE files 22->63 65 Performs DNS queries to domains with low reputation 22->65 27 rundll32.exe 1 12 22->27         started        file11 signatures12 process13 signatures14 67 Creates an undocumented autostart registry key 27->67 69 Tries to steal Mail credentials (via file / registry access) 27->69 71 Tries to harvest and steal browser information (history, passwords, etc) 27->71 73 3 other signatures 27->73 30 cmd.exe 2 27->30         started        33 cmd.exe 1 27->33         started        process15 signatures16 79 Tries to harvest and steal browser information (history, passwords, etc) 30->79 35 conhost.exe 30->35         started        37 conhost.exe 33->37         started        process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-23 12:46:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilsum7avc22ssfer6swlvquyrflvoogj6bssmvoopn7o76rdotka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/220623-pzl3psfgc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
526ef5df9d974a223af97e351e14e7a3010e287b7e6a1c3cdb132a6db4314326
MD5 hash:
0fb0636cafac3aa43f67017f1fe151ec
SHA1 hash:
8e29b890c4a4a22060bffde9a11631b7af6fb28e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/49f1a329-3cfa-48df-8d96-c2ce43073f38/
Parent samples :
0323d5159dd1425833a2b88830923e17810a4bbbc70dd686702ce4fad69d65e4
42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
0c0567f75c861c3950dcdf2b5bdb1f9852fd8cd518587eea22d43a5273dcfa18
9696d3ec13f85ada39b140ae0096e765db0ff630f351ffa1e96484f6a4f2f030
ef5551b32efae3527d147f40eaac18ab0213b7382d5d54bc67fd1c9911007480
44079f7afc8f2b9900564b14b8e3e9e5b8de7ad0b4a1d514e5ff644def494d4e
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/49f1a329-3cfa-48df-8d96-c2ce43073f38/
SH256 hash:
87577e6c69af07ba0e6383a2a152b59a39d6b336631ce4baa250bd9f8adce03d
MD5 hash:
9b17d560e68eff0da30f79b3c391c9a3
SHA1 hash:
5ceda263b1ea13401f652c709dd884d58945fe57
Link:
https://www.unpac.me/results/49f1a329-3cfa-48df-8d96-c2ce43073f38/
SH256 hash:
013bc3ca2f83946c9d4e76eb18c13c69159bdb69a5b7687c9157b8d046bae7cf
MD5 hash:
292a588d6b47e8c3a31063188e18e5ca
SHA1 hash:
3b847f078734876d587af289a23ed04a0fc78885
Link:
https://www.unpac.me/results/49f1a329-3cfa-48df-8d96-c2ce43073f38/
SH256 hash:
701e946c43dc14f2017f9f9a6433536d2f9f3b089c0b491eca72074437d8cbc3
MD5 hash:
a7ce7355195a9fa55d6285ffe04bae82
SHA1 hash:
1808b8a0b34fc1a860d803fcc1826e7f3b7f3fba
Link:
https://www.unpac.me/results/49f1a329-3cfa-48df-8d96-c2ce43073f38/
SH256 hash:
42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4
MD5 hash:
af158cff1deb238eb10b33b07d08a61e
SHA1 hash:
e0229b402990fad0fe92db278b3f4a3ed7a9767d
Link:
https://www.unpac.me/results/49f1a329-3cfa-48df-8d96-c2ce43073f38/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42e5467c1516/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2247824/
Cape
Cape
https://www.capesandbox.com/analysis/282643/

Comments


Avatar
zbet commented on 2022-06-23 12:45:45 UTC

url : hxxp://103.114.105.209/_msoffice10/smss.exe