MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57c1b561b160ccd8a9ebd612a9b3c46e12ce4dacb63a282de8839951651d8efb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash: 57c1b561b160ccd8a9ebd612a9b3c46e12ce4dacb63a282de8839951651d8efb
SHA3-384 hash: 9a5f712204a53d1b525936218247d5480ef514c4e5df09b558587c9bb964e34fb576b06d67eeff5d482cae8cc510a7f3
SHA1 hash: c58c69d8c67c8985fbf0173ef864f7b64df1001a
MD5 hash: 90efbc55c8f2f979260b2dd4d829c10a
humanhash: may-early-purple-pennsylvania
File name:Ordine 6809 020621.exe
Download: download sample
Signature Formbook
File size:812'544 bytes
First seen:2021-07-03 06:07:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 12288:/GZNoujuhQpipQOXs6LdMb2Ufo7cT6dRL2X8u5N4QgVWNebnrmVthl6glu7pdIpp:eeXA2oo7VdRyX95W2eDi
TLSH 28053BA83A9070EED4B7DA77CAAB2C68E6B9B437570B550B601302DD4A0D943DF701B7
Reporter abuse_ch
Tags:exe FormBook

Intelligence


File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ordine 6809 020621.exe
Verdict:
Malicious activity
Analysis date:
2021-07-03 06:08:57 UTC
Tags:
trojan formbook stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 443778 Sample: Ordine 6809 020621.exe Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 36 www.rlztdz.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 11 Ordine 6809 020621.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\...\Ordine 6809 020621.exe.log, ASCII 11->28 dropped 14 Ordine 6809 020621.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 theproperwayboutique.com 108.167.141.137, 49728, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 www.wb-swai.net 45.159.177.216, 49730, 80 PEGTECHINCUS France 17->32 34 9 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 systray.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-07-02 12:44:48 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Result
Malware family:
xloader
Score:
  10/10
Tags:
family:xloader loader rat
Behaviour
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.movieskorea.club/gnuo/
Unpacked files
SH256 hash:
7c8f844ac24243363d514c1df8b6d8fee0d981c523e57acd5506b2fb81d1e9c4
MD5 hash:
0339137318bcd79d6312e6fb062569e2
SHA1 hash:
8ff746c86349b78db491ed7387792a91adf6bfbc
Detections:
win_formbook_g0 win_formbook_auto
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
SH256 hash:
0a798033d68f0994151cee9d85998ea33cc08d3e07589d14b29073b0c25f78ce
MD5 hash:
eed4813d0d5e10eaae3168283818470a
SHA1 hash:
4455a87508cc0f3b7528e9cad46d504fd4f2df20
SH256 hash:
57c1b561b160ccd8a9ebd612a9b3c46e12ce4dacb63a282de8839951651d8efb
MD5 hash:
90efbc55c8f2f979260b2dd4d829c10a
SHA1 hash:
c58c69d8c67c8985fbf0173ef864f7b64df1001a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments