MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cef73e83df4c6bb091a157a975a38a2c50be436649414a2ac7a55bc62e67da0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cef73e83df4c6bb091a157a975a38a2c50be436649414a2ac7a55bc62e67da0
SHA3-384 hash: a4e3fc8a3dd22dc0757fd189451b1eb87adb81cfb3e5bf72fe9cd562499a900ee8b00b96422217c58fc680df6acc40b4
SHA1 hash: edd4dd68733c8cb5a798fddf16ef9fe2af4b8cfc
MD5 hash: 9c4e7af0e5d0a8c69fc7f8aa2713a28c
humanhash: mirror-comet-harry-iowa
File name:SWIFT-MLSB-11,546__doc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:301'056 bytes
First seen:2021-11-13 08:16:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:njTy0Ahvw/zGZff7lfFzZr20lPnokvT0xXr1DdyJlGdPT:nHy4Ao0lPDL0Zr1Ddmk
Threatray 11'287 similar samples on MalwareBazaar
TLSH T1E65423186DAD4319C8AEABB290823C591B75C4447963FF5D5C85E0BA8D3B313C639ACF
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4cef73e83df4c6bb091a157a975a38a2c50be436649414a2ac7a55bc62e67da0.zip
Verdict:
Malicious activity
Analysis date:
2021-11-13 11:14:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b6cb8bae-6e14-4a23-abff-59388d3c6ce1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205420/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618f7480dec3347825a369a5/reports/1d36f60e-de91-46b9-b43a-35175bc8ab7a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bab657a7-ce53-4c02-acfd-e9a188505154
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888497
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520970 Sample: SWIFT-MLSB-11,546__doc.exe Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 8 other signatures 2->46 10 SWIFT-MLSB-11,546__doc.exe 3 2->10         started        process3 file4 32 C:\Users\...\SWIFT-MLSB-11,546__doc.exe.log, ASCII 10->32 dropped 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Injects a PE file into a foreign processes 10->62 14 SWIFT-MLSB-11,546__doc.exe 10->14         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 17 explorer.exe 14->17 injected process8 dnsIp9 34 www.cmstps.com 168.76.76.21, 49820, 80 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 17->34 36 www.mtliglhare.quest 37.123.118.150, 49842, 80 UK2NET-ASGB United Kingdom 17->36 38 27 other IPs or domains 17->38 48 System process connects to network (likely due to code injection or exploit) 17->48 50 Performs DNS queries to domains with low reputation 17->50 21 wlanext.exe 17->21         started        24 autofmt.exe 17->24         started        26 autofmt.exe 17->26         started        signatures10 process11 signatures12 52 Self deletion via cmd delete 21->52 54 Modifies the context of a thread in another process (thread injection) 21->54 56 Maps a DLL or memory area into another process 21->56 58 Tries to detect virtualization through RDTSC time measurements 21->58 28 cmd.exe 1 21->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4cef73e83df4c6bb091a157a975a38a2c50be436649414a2ac7a55bc62e67da0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 05:50:17 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtxxh2b56tdlwci2cv5jowryulcqxzbwmskbjivmpjk3yyxgpwqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
Formbook
378ee60fb2d81639f413f10e21dbb12a052d37fd5e1c56bc160e9a9ad7351e89
Formbook
3dd50b8a58c547fa8f8ef459797b535964d16d4701cf1d822fef31ce7090d91b
Formbook
516601b7a328bcee918e8c52e46f71b39437045489bdaaf90136c9f899197bc8
Formbook
ac4a0328d512526f20122f0399d557b1334f3b2ac264d9e749d6d2788e956b2e
Formbook
b207cf6e0fe84692f4311e2768d913bae8005da5f7ed4cf1cee2459a6f62faa9
Formbook
dafe42f172204ac9777c502bf75a2aa9d621c5bba23080815439446f10b74cab
Formbook
f0748cd86f2648c4ff23611f87661ba89045039966eb9595c2fb4d046249e1f2
Formbook
f836093baf3255830126881722dc2edd86fd615fc922f86d177b0ccb0e3d2941
Formbook
+ 11'277 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ubw4 loader rat suricata
Link:
https://tria.ge/reports/211113-j6pvaabgbr/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.xpirellod.com/ubw4/
Unpacked files
SH256 hash:
e1169ecf8e3130e6373017e746f0005d91af160ad66d89c268ebc19d6848ca21
MD5 hash:
cbe6ad5104f34565d9b5c9823fd09895
SHA1 hash:
91f245ed653b213b47ea98a9006b303dc99f9c86
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a3a69d2-4883-4680-a98b-b820e105358a/
Parent samples :
2ed62a6c12be1ac67e1a06d92b2c56de72e7457b9f3479e7ea7d399941aae978
b385f036efa9f03e13b28b88c5c8dd82db54888c7f98c4764d4c10f4b1d9b217
f0748cd86f2648c4ff23611f87661ba89045039966eb9595c2fb4d046249e1f2
4cef73e83df4c6bb091a157a975a38a2c50be436649414a2ac7a55bc62e67da0
bfd45290f3080da5b5810624d5dd8b24bc6c95731201740545be2b440941344e
bf37fda61a09aedaf0b68827ee62dbdcc5b458ccf26daaac3df760cb6edc2040
d90b2b5ef3b7a0d8ef5ab0bd5e5c8cfacc42018855b3a80acc5221d053b39800
ad7117e7b38bd79d672590054fda19c333f8595c42f5b82ab237781b305fb2f8
SH256 hash:
bd4c4912209802bb457983177d94b220d20dc9775ff973f90bd1c6afd729bc9c
MD5 hash:
8cde05c2cc918a68b075bdb2854c9994
SHA1 hash:
bc3c4e2826370171102ee8b7bd317493cd72c15f
Link:
https://www.unpac.me/results/5a3a69d2-4883-4680-a98b-b820e105358a/
SH256 hash:
74a29cca0f3305d41e4bfb70d4e8d489dab5bcbcd57a7e4ff2126e69f0827cc7
MD5 hash:
6bbea556626b82cae00dcb73d1550465
SHA1 hash:
42cb29c38d6b19ef1dc86a6df5fcd9d2a371dc16
Link:
https://www.unpac.me/results/5a3a69d2-4883-4680-a98b-b820e105358a/
SH256 hash:
4cef73e83df4c6bb091a157a975a38a2c50be436649414a2ac7a55bc62e67da0
MD5 hash:
9c4e7af0e5d0a8c69fc7f8aa2713a28c
SHA1 hash:
edd4dd68733c8cb5a798fddf16ef9fe2af4b8cfc
Link:
https://www.unpac.me/results/5a3a69d2-4883-4680-a98b-b820e105358a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4cef73e83df4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4cef73e83df4c6bb091a157a975a38a2c50be436649414a2ac7a55bc62e67da0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/205420/

Comments