MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
SHA3-384 hash: 42d0d0e8eb01d6cea23217d0381a248837964e06bb4092836d025b5a0f942162aeede4088939f79a50edcc3700232689
SHA1 hash: 331e10b03dc5cf994d3985aea2570f08e2707560
MD5 hash: 4b32fb4d21ff7225187b42d4c9722dce
humanhash: august-fanta-violet-ack
File name:campione del prodotto.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'108'992 bytes
First seen:2021-08-14 08:44:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:2Gy2V8gP2iNdmth0+QHU6fm5LJHdkhjn+IZjxwRyCVWHz3T/J4GLIh+wT4P:b1yh0+CcFdyjSkCVm/Jql0
Threatray 7'835 similar samples on MalwareBazaar
TLSH T16735C33D19B92637D0BAC765CBE18817B1909CAF3211FD98A8D663660363F5275C323E
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
campione del prodotto.exe
Verdict:
Malicious activity
Analysis date:
2021-08-14 08:48:07 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/650400b5-13f0-4f60-b81a-747b43223420

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179202/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.59996.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d488f6d-9ba2-4ce2-95e6-876e1ed0d39b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832834
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465265 Sample: campione del prodotto.exe Startdate: 14/08/2021 Architecture: WINDOWS Score: 100 44 www.emmettthomas.com 2->44 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 10 other signatures 2->60 11 campione del prodotto.exe 7 2->11         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\RkaONosqCQHta.exe, PE32 11->36 dropped 38 C:\...\RkaONosqCQHta.exe:Zone.Identifier, ASCII 11->38 dropped 40 C:\Users\user\AppData\Local\...\tmp1863.tmp, XML 11->40 dropped 42 C:\Users\...\campione del prodotto.exe.log, ASCII 11->42 dropped 66 Writes to foreign memory regions 11->66 68 Injects a PE file into a foreign processes 11->68 15 RegSvcs.exe 11->15         started        18 RegSvcs.exe 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 78 Modifies the context of a thread in another process (thread injection) 15->78 80 Maps a DLL or memory area into another process 15->80 82 Sample uses process hollowing technique 15->82 84 Queues an APC in another process (thread injection) 15->84 22 explorer.exe 15->22 injected 86 Tries to detect virtualization through RDTSC time measurements 18->86 26 conhost.exe 20->26         started        process9 dnsIp10 46 www.255135.com 68.68.98.160, 49742, 80 EGIHOSTINGUS United States 22->46 48 www.856379713.xyz 103.88.34.80, 80 CHINATELECOM-ZHEJIANG-NINGBO-IDCNINGBOZHEJIANGProvince China 22->48 50 5 other IPs or domains 22->50 62 System process connects to network (likely due to code injection or exploit) 22->62 64 Performs DNS queries to domains with low reputation 22->64 28 wscript.exe 12 22->28         started        signatures11 process12 dnsIp13 52 www.856379713.xyz 28->52 70 System process connects to network (likely due to code injection or exploit) 28->70 72 Performs DNS queries to domains with low reputation 28->72 74 Modifies the context of a thread in another process (thread injection) 28->74 76 2 other signatures 28->76 32 cmd.exe 1 28->32         started        signatures14 process15 process16 34 conhost.exe 32->34         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=key3thwkjgqgsqdt6q7vqvbxqh6wvxwmmoqm2zb2kbugwtj6aana._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07af0ffdb9e42eb6ca145708be323b7641311d943d28ba746d5f16dd4c5a3eed
Formbook
0843599494471ac72b515fc33ea317ed0b384257ff9cb2de7e93a657f9e89878
Formbook
45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c
Formbook
6db6324fe282260a224e77fff9bdad3240a63d48ac587f2a701785ea69c317a5
Formbook
7712bd8e688370cdf586d604192cff97076b02f7eb676fa3ead70f5e55dff20f
Formbook
7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f
Formbook
91f157317f4b73121bcb06400904d5e9eff6461ea6495804878aa3c9b2966dc8
Formbook
a62281360a594e22783fb5dfc0e34645726b22df9ae0939b56a5b41e51289f97
Formbook
ab4795f656b54e9388c89d6a4df52747510fa418bdb50aa3bafd7b332ef1ff81
Formbook
fd0cf58b93453778c312805f74673284da2548389ee866c37cc91431f0ba9cb1
Formbook
+ 7'825 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:w56m loader rat suricata
Link:
https://tria.ge/reports/210814-45wrlg34tn/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.recareerrecruiter.com/w56m/
Unpacked files
SH256 hash:
dcb835c1161010d6bc74d93bb5d13628b947c65976563cfcd688b152125ec735
MD5 hash:
44dd39404ad66587023e849fbf3ec2ff
SHA1 hash:
c7ff8c56aa6620bf2e82bc266d77c4a30933f72b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c13451a4-1c10-4b94-837e-0b975fcae6b5/
Parent samples :
0ad43fd8a30f20f600092744496b9008b6293f1c845a567d8b9ad9b9537e16cf
2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50
45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c
0843599494471ac72b515fc33ea317ed0b384257ff9cb2de7e93a657f9e89878
ccad88cfcaf9a2b65b29af3fe6b85559efe3ffcf032ada3919cfa656eef60e54
5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d
SH256 hash:
33ac6b8012ce739e72022086b5d39b7fc030c20fa72988f76957685509d5c041
MD5 hash:
83f8ae95a7e6f016f6b00482588086e6
SHA1 hash:
70392939d6d60a913b51084ec1d98eaae8ca4868
Link:
https://www.unpac.me/results/c13451a4-1c10-4b94-837e-0b975fcae6b5/
SH256 hash:
d86da64e499b5a15a22e3b1ac068df1a3d396d0d095817b7d9ae2e3e59d7a9d5
MD5 hash:
331d68e989cb5d614a7ebba2345e0565
SHA1 hash:
3265309014a57cf331ec601eb7d53cb124e8f41d
Link:
https://www.unpac.me/results/c13451a4-1c10-4b94-837e-0b975fcae6b5/
SH256 hash:
5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
MD5 hash:
4b32fb4d21ff7225187b42d4c9722dce
SHA1 hash:
331e10b03dc5cf994d3985aea2570f08e2707560
Link:
https://www.unpac.me/results/c13451a4-1c10-4b94-837e-0b975fcae6b5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5131b99eca49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/179202/

Comments