MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729
SHA3-384 hash: bd769a1170a76b71ed84c047521336bf99f98c13b430cab8ff24f603dcd78e3579f02ef4577b28b1568ddd073ef0de0f
SHA1 hash: 6bb3fa03d81e4a8855a35760a9ef2804ca2f7eb5
MD5 hash: be986c495952935b1e6cad471cf14747
humanhash: bacon-apart-lion-zebra
File name:PTELOONB39-67.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:963'072 bytes
First seen:2021-07-17 06:54:18 UTC
Last seen:2021-07-17 07:44:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:wSLZWxZ0EG3KQyTs4XlhyI/vbUFUH9vWt8cgxzzz3GrjI4WgL4/z+/8M:hL1EWtfgxzzz2rjI4WggOL
Threatray 8'573 similar samples on MalwareBazaar
TLSH T1D125FE3E6AA42A27B777D2644681C015F9BC41DB3A395DD742C7698C390E8027EE7F2C
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PTELOONB39-67.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-17 06:56:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd973a2c-bca2-4a59-966b-45664c7f8b8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172311/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.26865.22735.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be394821-3c64-449b-9653-b1bdf792e339
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817780
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450191 Sample: PTELOONB39-67.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 3 other signatures 2->42 10 PTELOONB39-67.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\PTELOONB39-67.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 PTELOONB39-67.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.nrbfx.com 154.221.4.158, 80 VPSQUANUS Seychelles 17->30 32 rdsportsbrand.com 67.222.12.234, 49727, 80 PRIVATESYSTEMSUS United States 17->32 34 5 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmd.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 06:55:04 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ksvuuhg44lvwzlb5axff5myxujd2nnpjczgyyedh6fqbsu7mq4uq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e
Formbook
34066150ffa7efa505b8d2246925cd8a32f83b9609438ae76aa27cef7388054d
Formbook
4f588080c3618162c1bd0337092af0ba118b7277de6c2043a988562efdb0cbbb
Formbook
660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f
Formbook
6935472304f1b2e4e19ca521bf82ef1064f62ced4bf0ee3d1b6eac32a3f4b61f
Formbook
8ea636d851faf7ce0769fbbe7856659d0eb6638353df90e0c93f461ac3a932be
Formbook
a62281360a594e22783fb5dfc0e34645726b22df9ae0939b56a5b41e51289f97
Formbook
dbd108633606663ffe38920ce2c74dee5e68fd23f510e644cfd358271099942c
Formbook
f1b2b93992ab956883815e6fea926d282fc3a423675fa1faf5ffb6cbb2ddbedb
Formbook
+ 8'563 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210717-jx2ccx8tyn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.coffeyklatch.com/iuem/
Unpacked files
SH256 hash:
d34df983105e0b435f0eca80d07a30ea74b11a85f22562d9e295b39fcaf90344
MD5 hash:
314a177df189dc003b3abd6dd36698d7
SHA1 hash:
84541bfda4648ef29d95e87462417c1a846f317d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc9c8f11-7c9c-43dd-8643-bab50f00ca53/
Parent samples :
4f588080c3618162c1bd0337092af0ba118b7277de6c2043a988562efdb0cbbb
54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729
503f83e4dea1cb3a70d4c309471ea87756a2465c64533d2ea7103b37bd787788
62df68b2db0b080a2e963f0c082b5df7b15819032e11fbe5e9dfcfb8d143f61e
SH256 hash:
fe059de80f69d3b1bd7cd7ac9f961e013a3856c0c5a2b78e6ce731a1918e4fdc
MD5 hash:
cd5828c943f9a6d48ec70ea77b606280
SHA1 hash:
db17f394d2dd135580542d1de9216b27eb735a31
Link:
https://www.unpac.me/results/bc9c8f11-7c9c-43dd-8643-bab50f00ca53/
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/bc9c8f11-7c9c-43dd-8643-bab50f00ca53/
SH256 hash:
00959975064496d7c61852cb075fe3e06a2374793e5013cf99f9ba5abed596bd
MD5 hash:
a6eb53bb87f391c5af0b69fc17ff17e7
SHA1 hash:
a88a217ddf44826b7d81aa92425977c2290cc1fd
Link:
https://www.unpac.me/results/bc9c8f11-7c9c-43dd-8643-bab50f00ca53/
SH256 hash:
54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729
MD5 hash:
be986c495952935b1e6cad471cf14747
SHA1 hash:
6bb3fa03d81e4a8855a35760a9ef2804ca2f7eb5
Link:
https://www.unpac.me/results/bc9c8f11-7c9c-43dd-8643-bab50f00ca53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/172311/

Comments