MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
SHA3-384 hash: 0f4457803c77021da4c13fe6fad66be6840980777698ea2741eb4a89d6e4bb87eba824ec5bf0cfcc418361cb7c5fc38c
SHA1 hash: 6ccca366fd276d0bff3197b02bfb8c192fe75cb3
MD5 hash: de8a80136d8b6c2002ba8473bda2a617
humanhash: fifteen-wolfram-kentucky-fifteen
File name:de8a80136d8b6c2002ba8473bda2a617
Download: download sample
Signature Formbook
Create hunting rule
File size:261'580 bytes
First seen:2021-09-17 18:42:38 UTC
Last seen:2021-09-17 21:49:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:x8LxBggmjyU9avHM2nVm+cTc0xvklLAFj:zv1avsRo0xvkEj
Threatray 9'608 similar samples on MalwareBazaar
TLSH T1D94413213AD90867DAAB89F00977777DF27EE91D42A21A070BF8073D2F615174910DFA
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orsha_NSC Contract 290720 Order for new shipment.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-17 18:08:38 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/6b05906d-4daf-4473-8dcb-0cde1b5623d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188784/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.29658.9526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61752ec4db358dd15ed92b83/reports/8580d0d7-ffdd-4eb8-8ee9-6568917f96b6/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0f8370f-4a45-4bab-aab4-dc67957ed514
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853055
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485486 Sample: CtNh3b5Jo5 Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 31 www.thesmartroadtoretirement.com 2->31 33 thesmartroadtoretirement.com 2->33 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 5 other signatures 2->43 9 CtNh3b5Jo5.exe 17 2->9         started        signatures3 process4 file5 23 C:\Users\user\AppData\Local\...\tkxaz.dll, PE32 9->23 dropped 51 Detected unpacking (changes PE section rights) 9->51 53 Maps a DLL or memory area into another process 9->53 55 Tries to detect virtualization through RDTSC time measurements 9->55 13 CtNh3b5Jo5.exe 9->13         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 13->16 injected process9 dnsIp10 25 www.skoba-plast.com 193.34.169.17, 49782, 80 UAPROM-ASUA Ukraine 16->25 27 www.starlangue.com 77.222.61.114, 49776, 80 SWEB-ASRU Russian Federation 16->27 29 17 other IPs or domains 16->29 35 System process connects to network (likely due to code injection or exploit) 16->35 20 raserver.exe 16->20         started        signatures11 process12 signatures13 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 18:43:06 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2c5763d9d89f5d97d070891d79c01e1e534a8f626dce226a5b606a9bc999b56d
Formbook
40f8cfeb5f68c1980aaddf36f9915076d613c4c99293f1f6043180fe1006ea78
Formbook
4afb539f79059c70d141775ea9d479cfd95bbe4d6ef900c996cee8262a166bfc
Formbook
4f588080c3618162c1bd0337092af0ba118b7277de6c2043a988562efdb0cbbb
Formbook
503f83e4dea1cb3a70d4c309471ea87756a2465c64533d2ea7103b37bd787788
Formbook
54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729
Formbook
62df68b2db0b080a2e963f0c082b5df7b15819032e11fbe5e9dfcfb8d143f61e
Formbook
abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564
Formbook
abb29be2c1eccd851bdb99b126e822a8cf0f57be95e9b71a921aa703b2c285be
Formbook
+ 9'598 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6a4 loader rat
Link:
https://tria.ge/reports/210917-xcw86agbe8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.helpmovingandstorage.com/b6a4/
Unpacked files
SH256 hash:
f9c0e645ceaf425d5da3ecbb6bbc235b8bec4f8d66b67d8cff2adcc5648d0b98
MD5 hash:
691d8f061dddda87e5c0402d5fa98f66
SHA1 hash:
66f28c50888488d0db0fc678b6457fcacb807602
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4a60d3e1-de3c-4e73-b325-88b9543192c3/
Parent samples :
4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566
SH256 hash:
0d3ec44ee7b6620ca92bfcb80cef8de1ba39f654e7306601fdbcef15c9c9c92b
MD5 hash:
f16dd35b1e4de893d40722c376e95299
SHA1 hash:
ffefd9b768838a28d058ede2572db79f821aa862
Link:
https://www.unpac.me/results/4a60d3e1-de3c-4e73-b325-88b9543192c3/
SH256 hash:
4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
MD5 hash:
de8a80136d8b6c2002ba8473bda2a617
SHA1 hash:
6ccca366fd276d0bff3197b02bfb8c192fe75cb3
Link:
https://www.unpac.me/results/4a60d3e1-de3c-4e73-b325-88b9543192c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1628314/
Cape
Cape
https://www.capesandbox.com/analysis/188784/

Comments


Avatar
zbet commented on 2021-09-17 18:42:39 UTC

url : hxxp://198.12.107.117/winz/vbc.exe