MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55f06aa36a715afaa715697f490114fdaaa854f1a62d24d8df024fdc95cd1435. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55f06aa36a715afaa715697f490114fdaaa854f1a62d24d8df024fdc95cd1435
SHA3-384 hash: f38ad8c542c47187dedfb6cee5a2f01037902e75428b5bb0cd937e6dea938086febb00c3b5d132c3ec314d2382904527
SHA1 hash: 67ad501a9592acd639efda3bb68e08398d3fd1de
MD5 hash: 3c8e2a9bf62c852038be35360b5e491e
humanhash: sweet-angel-spaghetti-earth
File name:3c8e2a9bf62c852038be35360b5e491e
Download: download sample
Signature Formbook
Create hunting rule
File size:1'034'240 bytes
First seen:2021-07-16 08:27:20 UTC
Last seen:2021-07-16 11:40:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:2k7jk0vbxIJM38y/1EOhfNtc2tL4ffCtu5bNpKigOBnEYb:GOGJM/rltRhkbEO
Threatray 8'539 similar samples on MalwareBazaar
TLSH T1CD25F12227D0BB8FC7BE8C7AC5031910A2F0D5273613E3C66CE265DD258D7959B126FA
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kung.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-16 08:04:30 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/05818f06-f69a-42a9-9cf3-4492a23fbea1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172141/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.931.27629.14749.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96a38872-2cae-46d1-9e56-9e787cda0593
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817361
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449775 Sample: 23BOqgo2Gn Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 4 other signatures 2->42 10 23BOqgo2Gn.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\23BOqgo2Gn.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 23BOqgo2Gn.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.elevatom.com 17->30 32 olimpiyatcarpet.com 89.252.182.52, 49766, 80 RADORETR Turkey 17->32 34 9 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmmon32.exe 6 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/55f06aa36a715afaa715697f490114fdaaa854f1a62d24d8df024fdc95cd1435/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 06:31:28 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14b95763e86e899de22402ae2d7204ff7d9ceab85a12a1599a6c8d5964fa306a
Formbook
24133d4dad6ae66b6b08df65dd8e1d66e589c0fbc2ae770320eafa4d7079231e
Formbook
49217eb71ec8276e6fdb8573c02691fa5b9de9cb14be7b82c4ec6570f78fcfdf
Formbook
4cf933c9f31b4e3dae8002043c64a401f91a228adeadfbca9b172b3333f1be6b
Formbook
6c8d9b097832fec5088306fabfeb26cf5aa0c67153134f4c5e356cee935f871e
Formbook
80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98
Formbook
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Formbook
e091222f766082c33c0606405115206cb2d915929dfe2ac899b1945d6442c512
Formbook
e9f37a053f32c4f4732ba0ff24dba4d0a57a4e2dc8e8f1698e5601385371ce8e
Formbook
ec7613877f4aaf8962f0238890a365152d928269350e6a98b227f91c0624827c
Formbook
+ 8'529 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210716-9xt1tvy7xn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.eco-memo.com/7bun/
Unpacked files
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/c78b7b20-7170-4e8b-bb9c-c8f87c7dea6e/
SH256 hash:
4aeeded1ed1d44eae638bab88072bc80171eba07c526ce914c0be45dcd0a95ac
MD5 hash:
9f5c41927c54ad485c931f73ff3e1708
SHA1 hash:
345e16c7b85462c831b2af338ab48dd554f7283f
Link:
https://www.unpac.me/results/c78b7b20-7170-4e8b-bb9c-c8f87c7dea6e/
SH256 hash:
fca032a5fa0ba45cdbef443b5ca68f48bea763e4530a66dbbd8b7998da5652d1
MD5 hash:
6499e449331bb84b6a31bdca3e6c4282
SHA1 hash:
72095dee54b23b286f402f494a3b297d13eab245
Link:
https://www.unpac.me/results/c78b7b20-7170-4e8b-bb9c-c8f87c7dea6e/
SH256 hash:
0ccc9cccce773a37bbf7b40d2d377b9c3cf243547b81f60139cb9ef70b9a3c4c
MD5 hash:
cd2aa3fa657107aa5b8d9b69c9d412ad
SHA1 hash:
b22db0fec36573248df4c26d31adefcc323482fb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c78b7b20-7170-4e8b-bb9c-c8f87c7dea6e/
Parent samples :
24133d4dad6ae66b6b08df65dd8e1d66e589c0fbc2ae770320eafa4d7079231e
55f06aa36a715afaa715697f490114fdaaa854f1a62d24d8df024fdc95cd1435
e38f60c9ff210681232148c43db51f11967e6360940b50a646c8edb472fb1c42
a728204cf53dff3c0f93facfa43a189166caf917e31e85c3ff3b773ecf0cb9b6
820874caef7dd09b3475fbeac4b6b7372446b6b5eee1583aa7eef9610e27b9f8
SH256 hash:
55f06aa36a715afaa715697f490114fdaaa854f1a62d24d8df024fdc95cd1435
MD5 hash:
3c8e2a9bf62c852038be35360b5e491e
SHA1 hash:
67ad501a9592acd639efda3bb68e08398d3fd1de
Link:
https://www.unpac.me/results/c78b7b20-7170-4e8b-bb9c-c8f87c7dea6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/55f06aa36a715afaa715697f490114fdaaa854f1a62d24d8df024fdc95cd1435

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 55f06aa36a715afaa715697f490114fdaaa854f1a62d24d8df024fdc95cd1435

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1458587/
Cape
Cape
https://www.capesandbox.com/analysis/172141/

Comments


Avatar
zbet commented on 2021-07-16 08:27:22 UTC

url : hxxp://103.140.250.43/user/.wininit.exe