MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208
SHA3-384 hash:	cc9d55692c702fa4364d368c1057ecb87caed1cad5a0694cc282449bb39cce9a44268f3f192e9c3bb9358125248a83e4
SHA1 hash:	b324f85dcfecdd5f36c7d6fd1340d2b5cf065dcb
MD5 hash:	87ed6b3442eabf43293b4e1d4e8af3f1
humanhash:	kitten-florida-carbon-harry
File name:	INV02746799.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	820'224 bytes
First seen:	2022-02-15 04:18:20 UTC
Last seen:	2022-02-15 06:10:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ILUNkaYfdhNU6vyuZ8v7j8gODKH0Jws4ozwAaQOY6G5oIF+528zBRJv:Ira2FvyPbOmWpzw5QOYZNI5/zF
TLSH	T101050207B76BEB35C12427B540DF923517F19B8C2A33DE7A79BA368C19113620EB9439
Reporter	GovCERT_CH
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/241524/

Detection(s):

SecuriteInfo.com.Artemis87ED6B3442EA.6182.4114.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/620b29bbac8ad0468b409460/reports/9e79543e-bfa2-4fc3-b697-9bf940ce364d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3bac9bde-6f6b-4077-ab79-2c4ebe002e89

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/939897

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-15 03:28:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=itlu2gmkwbpnaogwzj4fgcmiyrx4qgiruxrcxxbimbe6obld2iea._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:rmpc loader rat suricata

Link:

https://tria.ge/reports/220215-exhx6acbfk/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

f78780e73536894b81b641dd13bb07a695d4db252660ea0eb05eac4c0c0791ac

MD5 hash:

127f40bd49e98c99917ca783c4f9a043

SHA1 hash:

68844b38e9c16af99c05f81a202ae93e9866e3e9

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5d5961ac-c994-45ca-a380-e1c8946c915f/

Parent samples :

44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
d53c0ce4893779afc24b84d79e926ba6684b2dbc549b85e8213137e2a8358ab2
555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5
3446a9d1fcd21b6e219220379f6b82cccf3cb967b9af1f9e91fa511e90eab639
125c8338e7cdf610f8aa3cc58db3e350997597a525f85ef6e81c38cc155a62da
04ee371bea0863aab03ca6cec8c5512522c4082654ada54991c483610df7a249
fd8161addee5162327eb1bff7dead0d9f2d8c2b6041bf2edaab964e2c38a78a0
9b4ea9f90dc0bd79331fb576e8e11bfcd1aaca5d89eed706bba28e23d81819e6
6c7bc2a0288450e984898339f779daa67583a202427e894fcb55a8c4238daae0
5c291b48b03f7208a95902a735edb8ff29b7fb241d7451b1ed0fbe49f537f3d7
40ca831a495e2c76c2de5e94c2a65fdbc91a6a59e5a5be2c86a2381166365459
43d06e86f98619000a7cc9600f95da73794070c1a541cb5cec13835600631a06
1b6f19244c3917f5c492d60071b20ec6627ca7cba830d16b8e1e45008de6823b
ebc4b771993d4f5850dcb26b20ba7f36cadd67b0f4ee05c691bddff94a6f5ee0
96a0dffa7387628ad30a6d44608812c3b79f6fd07cd8b144ce9bdd8fb4824187
fe7f81cde71cd5b66042ed13b89d0be7529cd5478f0d768181547d9bde21d519
e1754d3bb2df3b1c3c8b6448afd0e7e03b65e4d4a9fa331df40acc0acc38a408
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
7ac201d7a13b441e0e7ec03787bb6570dbb7e88ebc68f021c34f2704793e1675
de3a3c103b66a98978a8d6467d81865c78c4df0448c69c4d7c68d87dc17f7e4a
8d4069f952ab15494c3be7c5cdf0fa161641dcc5fe3a1aab978726ea585f0076
0482134079f147f5535027b2a9e3b0f0c5c841d8d1f38d59ff3e3fdc89f18b7d
d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647
d674ad918b0c38a26ec796220f99d14147297ddc01dd8e09c9b9b0dec8998cf2
cba32f8a548cbcab4798e55a6d9c5773ae980932d021126e295a03d05f644f22
de9a953b4f1570485b65622d0255625244e10746d5d2be0384505b60b743a11e
1eb8af23658c91ba76fe9516d0a7f8a678d0122454cb837183326c5a7fb95850
293e285042ed8b51e4166782005c54d1b3c20ba5f148f90b318f3c788115e892
083e99f9a493e14a03ae5c6270873363f0da35583615ef348ea83493a8dc0efa
537d8486471b326e32f04ca8c3c3fbef3955e25722b3e271022b03d8a82f0af2
84d399a3116d4038d5730fdbae6857142c0141f042dbba9a42e8a21e1ce6448b
be51d1c2d8a30045b3fa84863ef8f5073f8ebcdac3bbdbfd483ff61365a9a2c5
fd2f3e46722baeada38453fb8307d78a6a7e590fac0bc7ac36e52e1c95747dfb
06ff0d7203bc986c93f29bba10687aaa29880e3698810b9bea8a5ac04b5ba7a3
c4f73dd9b20be2611e4947816fc9a432b8ae654c84e3e33380543ecfe3323ca1
625c5bcad021d0e8c8f0478d2bec573db81fbf5957e5f9323a481b7d1756f66e
be173845e18d050a20b0dcb71293a32651bc804afe4298225189987d45f4550b
4ac7bddd4fe25bfcc91a63d1fb9a5563af110b5485cd8d00a277938da210a2ca
873b9d986cfc2bbb91df471b4d80bfbfd40f304d7a7fab5260d3ddacd34346a6

SH256 hash:

026f689e4eb43a95bb91e347d2dee585b6efcc0c179cb65667f232f64a2834a6

MD5 hash:

78eb6f2f026ff66c16f9c2e09ffd831f

SHA1 hash:

f9df9155e888cee43e350a76e08d76021c106130

Link:

https://www.unpac.me/results/5d5961ac-c994-45ca-a380-e1c8946c915f/

SH256 hash:

3ca74eb4ce4c2c5604dc298949ae47996d93063abfde0682d689205561d17d44

MD5 hash:

4e35b541f3d9162d0ac93d336df67779

SHA1 hash:

bb9e65761186806d4bada659e9d5db0c070501d4

Link:

https://www.unpac.me/results/5d5961ac-c994-45ca-a380-e1c8946c915f/

SH256 hash:

fbe2e1695bf836f4c206aec6e78b5cc223e3fe908c732e48eb214f3f42e34f66

MD5 hash:

4664a3e4e798410f52df5fa57b88fab9

SHA1 hash:

81afddb7410f06b82ffac921f80e06d43c7d511e

Link:

https://www.unpac.me/results/5d5961ac-c994-45ca-a380-e1c8946c915f/

SH256 hash:

44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208

MD5 hash:

87ed6b3442eabf43293b4e1d4e8af3f1

SHA1 hash:

b324f85dcfecdd5f36c7d6fd1340d2b5cf065dcb

Link:

https://www.unpac.me/results/5d5961ac-c994-45ca-a380-e1c8946c915f/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/44d74d198ab0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208

(this sample)

Dropped by

xloader

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/241524/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample