MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43a2069e57baacb53de658addca8950b570ce19334cd6c617c4c1060f9296fb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43a2069e57baacb53de658addca8950b570ce19334cd6c617c4c1060f9296fb7
SHA3-384 hash: e5f76bfed4aba0cb266e41ce58318ab376fbcec9b251e833655be3798302a411962ccef4307128fd8a27e7f9d2d7051a
SHA1 hash: 108a794f0bd4bd6b7261c9cd19f8493246fe75eb
MD5 hash: 60bcb12ff719b3eba42022265051550d
humanhash: mississippi-shade-texas-fix
File name:scan copy 2402021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:909'312 bytes
First seen:2021-04-12 16:22:09 UTC
Last seen:2021-04-12 22:23:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:LfkgkOV3X5Y+YWoaEEcUi9XfSaX7CIt8yRb:Lfk6Jga7adfLeIt
Threatray 4'699 similar samples on MalwareBazaar
TLSH F115CFAC36507ADFC927C976CA581C74EA6070BA531BD203A05712EDAE0DAA7DF141F3
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scan copy 2402021.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 16:25:55 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/808c8587-d87e-446d-bd25-0fa2c2ca69ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133807/
Detection(s):
SecuriteInfo.com.Artemis60BCB12FF719.25739.31151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673338
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385619 Sample: scan copy 2402021.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 42 www.thepredictable360.com 2->42 44 www.thecoolprojector.com 2->44 46 4 other IPs or domains 2->46 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 13 other signatures 2->66 11 scan copy 2402021.exe 6 2->11         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\CcrvkjcGLHDwX.exe, PE32 11->36 dropped 38 C:\Users\user\AppData\Local\...\tmp4CEB.tmp, XML 11->38 dropped 40 C:\Users\user\...\scan copy 2402021.exe.log, ASCII 11->40 dropped 70 Writes to foreign memory regions 11->70 72 Injects a PE file into a foreign processes 11->72 15 RegSvcs.exe 11->15         started        18 RegSvcs.exe 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 80 Modifies the context of a thread in another process (thread injection) 15->80 82 Maps a DLL or memory area into another process 15->82 84 Sample uses process hollowing technique 15->84 86 Queues an APC in another process (thread injection) 15->86 22 explorer.exe 15->22 injected 88 Tries to detect virtualization through RDTSC time measurements 18->88 26 conhost.exe 20->26         started        process9 dnsIp10 48 www.ehealthak.com 52.128.23.153, 49773, 80 DOSARRESTUS United States 22->48 50 shops.myshopify.com 23.227.38.74, 49771, 49779, 80 CLOUDFLARENETUS Canada 22->50 52 9 other IPs or domains 22->52 68 System process connects to network (likely due to code injection or exploit) 22->68 28 help.exe 12 22->28         started        signatures11 process12 dnsIp13 54 www.hessbbqsweeps.com 28->54 56 hessbbqsweeps.com 28->56 58 192.168.2.1 unknown unknown 28->58 74 Modifies the context of a thread in another process (thread injection) 28->74 76 Maps a DLL or memory area into another process 28->76 78 Tries to detect virtualization through RDTSC time measurements 28->78 32 cmd.exe 1 28->32         started        signatures14 process15 process16 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43a2069e57baacb53de658addca8950b570ce19334cd6c617c4c1060f9296fb7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 16:21:41 UTC
File Type:
PE (.Net Exe)
AV detection:
25 of 47 (53.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioranhsxxkwlkppglcw5zkevbnlqzymtgtgwyyl4jqigb6jjn63q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01476f904e668758ea516e84f359d6d0a4d85dadc179a51788a214ea46ff9dec
Formbook
26c752e870c67846120eefa974dabdb9ee5b0efd3ddcd45f507aeaa638db2572
Formbook
3803dec5e2ab718dedda091e9ee84b588545614ae3d54aa78d956cec21128fda
Formbook
3b70e4fc486e35f388db065ff8f187f55a820ccf8ce90f0e656ff55aaa0d5fdb
Formbook
4e5290b59d085d2d8492782191609fb2847e2f4a554b2ca48d1e7d7c86f6fb92
Formbook
6838e750e4d6b197819aedaeb8e0a183d5fb790da0d6d5e426d99f09bae758d9
Formbook
6878e1b95116d026a4e76c4e8130019f12391307af78a7efe50ce01eebe8ee3d
Formbook
84f28d28b63ae57104a5840373d8debeec9be6886be4051e0bd965b1250dda90
Formbook
ce5c68aa433096637d43913129f31a9ce61fe4023487f2b90e39a03520da88c3
Formbook
f45a023c86d834183f3073c05227d6f40686aef4a71b3893b823be493d7aae83
Formbook
+ 4'689 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210412-7rr5skjjhs/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.trendyheld.com/edbs/
Unpacked files
SH256 hash:
aca66d16e84e78e046dc7c8b03a27df00872210f18ab8b9f193cfca62bb32301
MD5 hash:
6b1b08e77bdd1b8317f7f94c744ec35d
SHA1 hash:
b3f54acb575f47e92b139434db8a01ae66cd5ef5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2c24e67f-bf9d-4837-acad-c8fcf2581f81/
Parent samples :
84f28d28b63ae57104a5840373d8debeec9be6886be4051e0bd965b1250dda90
43a2069e57baacb53de658addca8950b570ce19334cd6c617c4c1060f9296fb7
ae80c3c9ddf62e5b9b70e173c55b946db7a41aafee9bd645621157e05e9f95f4
9eea2ae3f3200db886bf865381d62d7c4bf5415755cb4cc5ea8b055c94908c06
ab77ccf41d38665285cbc2d460172cc15f9376fc3160da1f3d62e4b4368f439d
SH256 hash:
dd7d186fa91f64d2fbad29984aa6ca370c191cabfc02e00a1e44b055cf11a026
MD5 hash:
c1b0d059cd71d9ec6fb5100ee117be48
SHA1 hash:
6933680c0da41df82bc48c0eae5301bf58bb59d5
Link:
https://www.unpac.me/results/2c24e67f-bf9d-4837-acad-c8fcf2581f81/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/2c24e67f-bf9d-4837-acad-c8fcf2581f81/
SH256 hash:
43a2069e57baacb53de658addca8950b570ce19334cd6c617c4c1060f9296fb7
MD5 hash:
60bcb12ff719b3eba42022265051550d
SHA1 hash:
108a794f0bd4bd6b7261c9cd19f8493246fe75eb
Link:
https://www.unpac.me/results/2c24e67f-bf9d-4837-acad-c8fcf2581f81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43a2069e57baacb53de658addca8950b570ce19334cd6c617c4c1060f9296fb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/133807/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 15:38:45 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection