MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
SHA3-384 hash: 43fd2279210fd7350b12adfb1a38d32f424a35175507b517ade7e72a87de51e7df4fd20a1230e0d6eed94babbf4d2923
SHA1 hash: c843fa55b16548ff0378194993e873a0b1b31a31
MD5 hash: 6f5d2b42f4a74886ac3284fa9a414a87
humanhash: harry-berlin-cold-alpha
File name:SKM_C3350191107102300.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:357'888 bytes
First seen:2020-12-16 14:35:48 UTC
Last seen:2020-12-23 03:10:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e06d0f4fcf3872d57a0853ffeb036a8d (2 x AgentTesla, 2 x Formbook, 1 x Loki)
ssdeep 6144:INRzoG9ZAljastgvb61svdlrgW84CIl7twE7zb:INR7QY+TVspB3
Threatray 3'182 similar samples on MalwareBazaar
TLSH 5674CE062914F109E2D6727D4F62DAB517BACCD57821523E38F27D8B3AFDA1724C1227
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
13
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKM_C3350191107102300.zip
Verdict:
Malicious activity
Analysis date:
2020-12-16 14:37:49 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/4335ab5e-a7a7-45fc-a97a-499fc5a5de52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.27516.15880.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/564344
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 331258 Sample: SKM_C3350191107102300.exe Startdate: 16/12/2020 Architecture: WINDOWS Score: 100 39 www.4mzn-l1mit.com 2->39 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 4 other signatures 2->53 11 SKM_C3350191107102300.exe 4 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 11->35 dropped 37 C:\...\1f5539868fdb4da9bb066ca38b887f0a.xml, XML 11->37 dropped 57 Maps a DLL or memory area into another process 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 SKM_C3350191107102300.exe 11->15         started        18 cmd.exe 1 11->18         started        20 conhost.exe 11->20         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 22 explorer.exe 15->22 injected 26 schtasks.exe 1 18->26         started        process9 dnsIp10 41 www.gzlydt.com 156.238.196.243, 49752, 80 XHOSTSERVERUS Seychelles 22->41 43 www.markenvandrerhjem.com 194.9.94.85, 49757, 80 LOOPIASE Sweden 22->43 45 21 other IPs or domains 22->45 55 System process connects to network (likely due to code injection or exploit) 22->55 28 msdt.exe 22->28         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 28->61 63 Maps a DLL or memory area into another process 28->63 65 Tries to detect virtualization through RDTSC time measurements 28->65 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-12-16 07:59:07 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5hectrcorwxpan5nstpjtdexzaxwzljmecn3jy3an6jlbgouapq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
63cdf6732c057eee9626cae35b73e53dbc35b1c7231c573e8c672372074ac926
Formbook
6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2
Formbook
7e43a881578a70074b8cd80b8dca635ba19180923833a32638dfbd5767216dee
Formbook
80647f6b0ee0d8b14ba78bbd6cbfdf6e332692af7eb0f3348fc76facc4ad23ef
Formbook
9166caa8818f4cc62ac7922d901d396e17c0ff0867c48d52bd891b05121abafd
Formbook
9a176cf24fa09ec01bb6e51507849fa8aad355bb25eba73ce43f63579997633a
Formbook
9f5779b1c4f0c33f93c5745623a806b3a3de57f574b05bbd15a46c3b64eea592
Formbook
e04ac8ec3e13e60c17c1ab13acb486e2e60877e44b6a3ee8a9e372a45d0c8e42
Formbook
e78b5071209858cdcb5ce02f7df3c3fb857088f7088b964791d289c789451e67
Formbook
edb4639fe2eeb567856790fc73f716baeea57ab54fc91e31f49309009978de55
Formbook
+ 3'172 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201216-h396vtmf9x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.4mzn-l1mit.com/x2ee/
Unpacked files
SH256 hash:
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
MD5 hash:
6f5d2b42f4a74886ac3284fa9a414a87
SHA1 hash:
c843fa55b16548ff0378194993e873a0b1b31a31
Link:
https://www.unpac.me/results/50ab3419-a1a6-4416-83c4-6ca8467b2a81/
SH256 hash:
0be8b6cc78ece6a433090369e144a1f79e460c8c7f7d193fdedc402a805a3b6a
MD5 hash:
c52ef08f75482ebef0381001daff1fd6
SHA1 hash:
92f3fd245a5ffcf70f4bf7023a7fb35e25074cb3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/50ab3419-a1a6-4416-83c4-6ca8467b2a81/
Parent samples :
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments