MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5217b3fe46cd872a4c4da5099d4eb2d66c8f5278f5c355c68c9c88f891e66cae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5217b3fe46cd872a4c4da5099d4eb2d66c8f5278f5c355c68c9c88f891e66cae
SHA3-384 hash: 59c566644ecf3a4eb2cbe2ac6e16f89969bbe313a34875d711cdbf4167d2be9f14b7bcce59bd4ffba2d84f86550da30a
SHA1 hash: ea94ec0cc07a4c8cf31773f0baab6a830043fee0
MD5 hash: 6eee388d827ad3b7bdef0a4fd3fabf65
humanhash: cup-bravo-juliet-stream
File name:PALMETTO STATE PARTS98_xlxs.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:526'848 bytes
First seen:2021-11-19 14:52:53 UTC
Last seen:2021-11-19 17:07:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:tmhtD00BVahn/JNs2gkfw7WND3U7IgPHXh0q+lnMBEp:AhC06ne6k7IK3aq+FMBEp
Threatray 11'504 similar samples on MalwareBazaar
TLSH T134B4015033E8AB96EA7D57F14862D45023B97E1E28A5D21D5DC220CF2539F00AB92FF7
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PALMETTO STATE PARTS98_xlxs.exe
Verdict:
Malicious activity
Analysis date:
2021-11-19 15:00:29 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/bffa7483-7a24-499a-ae18-33ba4e98b061

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1104.10484.18493.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6197ba4e43e8f62b669a8575/reports/24babb8b-981e-48e9-b8c7-d247e26c3b90/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c761b292-0a16-4f04-8907-a24fd2be7d5d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892708
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525181 Sample: PALMETTO STATE PARTS98_xlxs.exe Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 41 www.finalimpactoutdoors.com 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 11 PALMETTO STATE PARTS98_xlxs.exe 3 2->11         started        signatures3 process4 file5 39 C:\...\PALMETTO STATE PARTS98_xlxs.exe.log, ASCII 11->39 dropped 69 Injects a PE file into a foreign processes 11->69 15 PALMETTO STATE PARTS98_xlxs.exe 11->15         started        18 PALMETTO STATE PARTS98_xlxs.exe 11->18         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 20 explorer.exe 4 15->20 injected process9 dnsIp10 43 www.godiswithus.online 185.230.61.173, 49833, 80 WIX_COMIL Israel 20->43 45 greencow.agency 178.208.83.35, 49822, 80 VDSINA-ASRU Russian Federation 20->45 47 33 other IPs or domains 20->47 37 C:\Users\user\AppData\...\l6qlgxkv0h.exe, PE32 20->37 dropped 57 System process connects to network (likely due to code injection or exploit) 20->57 59 Benign windows process drops PE files 20->59 25 rundll32.exe 1 12 20->25         started        file11 signatures12 process13 signatures14 61 Tries to steal Mail credentials (via file / registry access) 25->61 63 Self deletion via cmd delete 25->63 65 Tries to harvest and steal browser information (history, passwords, etc) 25->65 67 3 other signatures 25->67 28 cmd.exe 2 25->28         started        31 cmd.exe 1 25->31         started        process15 signatures16 71 Tries to harvest and steal browser information (history, passwords, etc) 28->71 33 conhost.exe 28->33         started        35 conhost.exe 31->35         started        process17
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5217b3fe46cd872a4c4da5099d4eb2d66c8f5278f5c355c68c9c88f891e66cae/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 13:27:20 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kil3h7sgzwdsutcnuuez2tvs2zwi6uty6xbvlrumtseprepgnsxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
092be1f456b0c24d932d6c4e4c44cfd0c9abc6c0418bf1567e67826cb51aef14
Formbook
1764a3523eb73d0b632820c013bb2a723fbb3779c7eb59c7e0b67cd488deda6d
Formbook
59139210e96ea7a1ca64dbb343b225be422bc0d3c66a673959b3e8e076bceea7
Formbook
6ffe756ce71f1457d7dd480357f3545f123b750fc4bf30683b59887d491948a7
Formbook
7946718754bb669d3c7a80e355a20047e3e87dbfa9446927ceb6fabab21847d1
Formbook
832c65a202ec1c69a8297af3d2fc3d233ac65b7c2c670f30d0694089601c9cfe
Formbook
86aab91018b32a9ee913459090b66fe44f00e625f05560483547ad39d542a61b
Formbook
91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5
Formbook
b16670d7ab7fc43029ef6033d5bf6b8a3ad78f09fefed66ec6351c7eac0a53f8
Formbook
+ 11'494 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:cfb2 loader rat
Link:
https://tria.ge/reports/211119-r9atjadfb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.naskitchen.online/cfb2/
Unpacked files
SH256 hash:
52bab4a6de2a7acd69b608142f1a8c7aadd72225d6bc8f0147bce42dd114ec51
MD5 hash:
3f65b2b0792a46dc2d40c5f4271a866b
SHA1 hash:
f93d2ed4cb9992374b5dc28b6e123ee86023fc38
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c3591d39-e0a5-4661-8ea5-e771e2ada257/
Parent samples :
355da352f5a3782b61c87156e127d0ad167a379a7b9a0889574c2a773b55a122
5217b3fe46cd872a4c4da5099d4eb2d66c8f5278f5c355c68c9c88f891e66cae
SH256 hash:
cc5c5860e83b708cd158454165cbeb714767119946049de5aa7677685be75c14
MD5 hash:
83cbea4dec6e5b64a85ee9b6f9ff7598
SHA1 hash:
5c1d12b792c32ba73b7bf2634da5e4d9fbcd7d4e
Link:
https://www.unpac.me/results/c3591d39-e0a5-4661-8ea5-e771e2ada257/
SH256 hash:
0c19614848b3f0c55ba8d2dde33549e7f6a4bb381bbcd9ccf4e07b1d1b0a6fca
MD5 hash:
f4e8c9a793d4760d70e235d1057c9e0f
SHA1 hash:
1defe5928acaa6f117dddb42200d5c16f682c516
Link:
https://www.unpac.me/results/c3591d39-e0a5-4661-8ea5-e771e2ada257/
SH256 hash:
5217b3fe46cd872a4c4da5099d4eb2d66c8f5278f5c355c68c9c88f891e66cae
MD5 hash:
6eee388d827ad3b7bdef0a4fd3fabf65
SHA1 hash:
ea94ec0cc07a4c8cf31773f0baab6a830043fee0
Link:
https://www.unpac.me/results/c3591d39-e0a5-4661-8ea5-e771e2ada257/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5217b3fe46cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/5217b3fe46cd872a4c4da5099d4eb2d66c8f5278f5c355c68c9c88f891e66cae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5217b3fe46cd872a4c4da5099d4eb2d66c8f5278f5c355c68c9c88f891e66cae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/207628/

Comments