MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c
SHA3-384 hash: 6ea1912cae1dd5c77614859f2c8724d9678721a380286d7a161420aa951c8b4db5ebeaf193659584161b012421c07d76
SHA1 hash: 43834ed1d9906748b15d7ccb6390e4f4d1370389
MD5 hash: f7eb2bff3a410fd8ef59e22b4e8c178b
humanhash: xray-blue-cola-nebraska
File name:product samples.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:574'976 bytes
First seen:2021-07-18 20:50:22 UTC
Last seen:2021-07-18 21:32:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Gu9a4QthtX0TuDND0ER2nI25Zk/kvrsp0GYYz2c:Gu9Z6NDNrR2nXnJsp
Threatray 6'591 similar samples on MalwareBazaar
TLSH T1F4C4F0683748BBAEC17F9B79C094182183B0A167931BF38AAC9751FC0D5D781CF66297
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
product samples.exe
Verdict:
Malicious activity
Analysis date:
2021-07-18 20:53:42 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7ca71347-0ff8-4acc-af7e-11ff3b284605

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172444/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.21727.18467.3021.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4283b0fc-8567-45ae-8438-b3d75b44bec8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817967
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450378 Sample: product samples.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 100 41 clientconfig.passport.net 2->41 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 7 other signatures 2->55 11 product samples.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\RRkNQFgEhFLria.exe, PE32 11->33 dropped 35 C:\...\RRkNQFgEhFLria.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmpDADB.tmp, XML 11->37 dropped 39 C:\Users\user\...\product samples.exe.log, ASCII 11->39 dropped 65 Writes to foreign memory regions 11->65 67 Injects a PE file into a foreign processes 11->67 15 RegSvcs.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 2 other signatures 15->75 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 dualstack.sni.bigcartel.map.fastly.net 151.101.1.211, 49757, 80 FASTLYUS United States 20->43 45 www.sjdibang.com 23.248.239.158, 49753, 80 CNSERVERSUS United States 20->45 47 10 other IPs or domains 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 26 cmd.exe 20->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 11:23:24 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwv7aeqc2w4zspc5q44rps4psq7nbrdzmkfwf4f5dycfhq4flf6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729
Formbook
5d1870672eff4e2ec6d699d654d5268051f7a56f8ca991fefa538eeef380a89c
Formbook
852cc855a1aa63d081ebeec5fd688a3c80d50a14d80c760256c4b46208d77b8d
Formbook
9e23de70acc475a483df75190ca88ff14395f99074f84c8eb86b4eadf523e498
Formbook
a62281360a594e22783fb5dfc0e34645726b22df9ae0939b56a5b41e51289f97
Formbook
c422b04b5177a83b94f15e8bd6b8eca2e7e91a0c082b5035a7aa4b475e38688c
Formbook
dbd108633606663ffe38920ce2c74dee5e68fd23f510e644cfd358271099942c
Formbook
de3c81ef7e59a386f6572d4c095739d45493d90b03c348748200012ec165372f
Formbook
+ 6'581 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210718-8hnqnef45n/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.recareerrecruiter.com/w56m/
Unpacked files
SH256 hash:
dcb835c1161010d6bc74d93bb5d13628b947c65976563cfcd688b152125ec735
MD5 hash:
44dd39404ad66587023e849fbf3ec2ff
SHA1 hash:
c7ff8c56aa6620bf2e82bc266d77c4a30933f72b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c5daf8a0-6955-40ca-90e9-a70cf4f0fbc4/
Parent samples :
0ad43fd8a30f20f600092744496b9008b6293f1c845a567d8b9ad9b9537e16cf
2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50
45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c
0843599494471ac72b515fc33ea317ed0b384257ff9cb2de7e93a657f9e89878
ccad88cfcaf9a2b65b29af3fe6b85559efe3ffcf032ada3919cfa656eef60e54
5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/c5daf8a0-6955-40ca-90e9-a70cf4f0fbc4/
SH256 hash:
7c2fee4421d0501c359cd03615d7c9897b7891cfee66f8b5d0ded1c1a8095c5f
MD5 hash:
5808357f459fb3ada67eca5d41137165
SHA1 hash:
af57ed4fe36a4d9d10a17773bf40f97149b9bed7
Link:
https://www.unpac.me/results/c5daf8a0-6955-40ca-90e9-a70cf4f0fbc4/
SH256 hash:
1e632aab64f2d0d369f5677f009de1785fa92b0a8b128932e561ebacbdb173e4
MD5 hash:
3bab0b101e1e95b081e11b6fd2436dc6
SHA1 hash:
3fa1f8353d17350c4b340a67a54e6870ab3b4ec2
Link:
https://www.unpac.me/results/c5daf8a0-6955-40ca-90e9-a70cf4f0fbc4/
SH256 hash:
45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c
MD5 hash:
f7eb2bff3a410fd8ef59e22b4e8c178b
SHA1 hash:
43834ed1d9906748b15d7ccb6390e4f4d1370389
Link:
https://www.unpac.me/results/c5daf8a0-6955-40ca-90e9-a70cf4f0fbc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/172444/

Comments