MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d8eaf37de32a6ff36c965b6e616e2085e2d1bd46e75344ca1fea59178c19f15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d8eaf37de32a6ff36c965b6e616e2085e2d1bd46e75344ca1fea59178c19f15
SHA3-384 hash: 2175fa0877bfc9da83bce6fbace515e3ba9e5b72dc35b9f44574590472e1f6f04e2d986cb98c8f38915334c3a7860f8e
SHA1 hash: 545c919239b5d7a2e7d398a0c6317d355a0062f8
MD5 hash: c7a592e62fb6a5741c38a31b2fcee21b
humanhash: video-early-three-hamper
File name:c7a592e62fb6a5741c38a31b2fcee21b
Download: download sample
Signature Formbook
Create hunting rule
File size:38'288 bytes
First seen:2021-07-02 19:27:42 UTC
Last seen:2021-07-02 21:42:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:q6XafEqnwgyDJnilc0kW2dGflfIubwC3pJvU7j1RgpMb88Ihl:bafJwgJcz7MpJijW8W
TLSH E90316DD8AAC09D2E07FF9B8D7E036064730557E2508866F54B688D6CD42BC2EBD816E
Reporter zbetcheckin
Tags:32 exe FormBook signed

Code Signing Certificate

Organisation:fqlan1Law91Pk6b6
Issuer:fqlan1Law91Pk6b6
Algorithm:sha256WithRSAEncryption
Valid from:2021-07-01T21:01:54Z
Valid to:2022-07-01T21:01:54Z
Serial number: c6d7a17eb36bd8f3d87ce6d0e504c17e
Thumbprint Algorithm:SHA256
Thumbprint: d9740892eded613eaaede115fd4978749423c5d7206dc08097882d68b064b0db
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7a592e62fb6a5741c38a31b2fcee21b
Verdict:
Malicious activity
Analysis date:
2021-07-02 19:31:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/827ad216-2c92-4470-9783-4f062ff64f7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169410/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46565708.27203.24388.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b50f719a-c1ff-4816-a558-a7a64954f186
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811256
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 443667 Sample: TZzu3LxyFI Startdate: 02/07/2021 Architecture: WINDOWS Score: 100 47 www.resortatalpinecreek.com 2->47 49 www.oxiaer.com 2->49 51 resortatalpinecreek.com 2->51 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 5 other signatures 2->69 11 TZzu3LxyFI.exe 17 4 2->11         started        signatures3 process4 dnsIp5 61 kakosidobrosam.gq 104.21.67.197, 443, 49716 CLOUDFLARENETUS United States 11->61 79 Adds a directory exclusion to Windows Defender 11->79 81 Tries to detect virtualization through RDTSC time measurements 11->81 83 Hides threads from debuggers 11->83 15 TZzu3LxyFI.exe 11->15         started        18 WerFault.exe 23 9 11->18         started        22 cmd.exe 1 11->22         started        24 2 other processes 11->24 signatures6 process7 dnsIp8 85 Modifies the context of a thread in another process (thread injection) 15->85 87 Maps a DLL or memory area into another process 15->87 89 Sample uses process hollowing technique 15->89 91 Queues an APC in another process (thread injection) 15->91 26 explorer.exe 15->26 injected 53 192.168.2.1 unknown unknown 18->53 45 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->45 dropped 30 conhost.exe 22->30         started        32 timeout.exe 1 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        file9 signatures10 process11 dnsIp12 55 shops.myshopify.com 23.227.38.74, 49743, 80 CLOUDFLARENETUS Canada 26->55 57 www.templejc.space 26->57 59 www.serenityeternity.com 26->59 77 System process connects to network (likely due to code injection or exploit) 26->77 38 cmmon32.exe 26->38         started        signatures13 process14 signatures15 71 Modifies the context of a thread in another process (thread injection) 38->71 73 Maps a DLL or memory area into another process 38->73 75 Tries to detect virtualization through RDTSC time measurements 38->75 41 cmd.exe 1 38->41         started        process16 process17 43 conhost.exe 41->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d8eaf37de32a6ff36c965b6e616e2085e2d1bd46e75344ca1fea59178c19f15/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-07-02 14:23:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader evasion loader rat trojan
Link:
https://tria.ge/reports/210702-hd8ztdzr1s/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Windows security modification
Xloader Payload
UAC bypass
Windows security bypass
Xloader
Malware Config
C2 Extraction:
http://www.ossotasarim.com/ushb/
Unpacked files
SH256 hash:
4d8eaf37de32a6ff36c965b6e616e2085e2d1bd46e75344ca1fea59178c19f15
MD5 hash:
c7a592e62fb6a5741c38a31b2fcee21b
SHA1 hash:
545c919239b5d7a2e7d398a0c6317d355a0062f8
Link:
https://www.unpac.me/results/03806603-f96f-488c-8be8-a663d4a676f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4d8eaf37de32a6ff36c965b6e616e2085e2d1bd46e75344ca1fea59178c19f15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4d8eaf37de32a6ff36c965b6e616e2085e2d1bd46e75344ca1fea59178c19f15

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1420820/
Cape
Cape
https://www.capesandbox.com/analysis/169410/

Comments


Avatar
zbet commented on 2021-07-02 19:27:43 UTC

url : hxxp://lontorz.xyz/ashleybinx.exe