MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7
SHA3-384 hash: fcc000e8a67e42ea1764958aa55b21f8a1968f4a1ef957871e537be66a58502bf29a877eb9bb8521317f1edcc7934635
SHA1 hash: db37f6e58a8f940986fee6e2d9b5f3d2fff68a77
MD5 hash: dd6738b8bd7f1450c7c21f6bd71b6fa2
humanhash: angel-kentucky-spring-network
File name:dj.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:219'324 bytes
First seen:2022-05-18 17:13:18 UTC
Last seen:2022-05-19 12:08:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 3072:VfY/TU9fE9PEtunb8z/nbBaC3oGfkmR5ooWj/+nswgLPoHp/kkUhfL0h3smO/v1g:ZYa6V8z/nNIGfkGoo8zNPKp0lQ5sF187
Threatray 15'685 similar samples on MalwareBazaar
TLSH T1882412987FA8C0B7D0C1473269FAA2353BF7D6132494B38B17B05A587E26611AC2F712
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
invoice.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-18 08:07:33 UTC
Tags:
exploit CVE-2017-11882 loader formbook trojan stealer
Link:
https://app.any.run/tasks/384b49af-0ea2-4a33-b986-05ec7a85e0a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272187/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.2831.21250.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18796/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62852961e48ed3e8b900887c/reports/42daeda3-b870-47a9-905a-3d59957a535b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5e0ea6ef-dd8b-4c25-85b8-e5b61cdc3420
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/997015
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 629507 Sample: dj.exe Startdate: 18/05/2022 Architecture: WINDOWS Score: 100 36 www.walidoooo.com 2->36 38 www.skynetmasters.com 2->38 40 3 other IPs or domains 2->40 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 4 other signatures 2->58 11 dj.exe 19 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\xbbljvli.exe, PE32 11->34 dropped 14 xbbljvli.exe 1 11->14         started        process6 signatures7 68 Multi AV Scanner detection for dropped file 14->68 70 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->70 72 Tries to detect virtualization through RDTSC time measurements 14->72 74 Injects a PE file into a foreign processes 14->74 17 xbbljvli.exe 14->17         started        20 conhost.exe 14->20         started        process8 signatures9 44 Modifies the context of a thread in another process (thread injection) 17->44 46 Maps a DLL or memory area into another process 17->46 48 Sample uses process hollowing technique 17->48 50 Queues an APC in another process (thread injection) 17->50 22 systray.exe 17->22         started        25 explorer.exe 17->25 injected 28 BackgroundTransferHost.exe 13 17->28         started        process10 dnsIp11 60 Modifies the context of a thread in another process (thread injection) 22->60 62 Maps a DLL or memory area into another process 22->62 64 Tries to detect virtualization through RDTSC time measurements 22->64 42 www.minikuru-support.com 162.43.118.150, 49829, 80 CYBERTRAILSUS United States 25->42 66 System process connects to network (likely due to code injection or exploit) 25->66 30 cmd.exe 1 28->30         started        signatures12 process13 process14 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 14:40:51 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldoi7yyemrin34habuihmraminl7i2tifhcbxbpyvibulviyq7dq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1799e80fe0e05e3e784de5536df1713309a3b345ea3dbd920acfff477735afbd
Formbook
2537720d5a68fae9bd2bd01925102deb25af75b86fbdc295f166efc97e636cfe
Formbook
6bd24ce0a16599d97686146c6a822023f0f4896fcee914eed9a4e45a7e46b864
Formbook
8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa
Formbook
988606c3b43228b851832aae56418b2ab7af38240f18339049da7e40ed9a27c1
Formbook
a9915e261e819e5388755f6e20a93b55c096eb7b81b930c7212a77be734a97b2
Formbook
c6cbe14f336bc97cc4bf2db682cc36efc1b371f6cc45509ee347c29348903676
Formbook
c6ccab15f09cd96dc361af96d7c1b3469d83aaede794309536131081ea6ab245
Formbook
fa8c154dc265fd44150023639ed16b4a0112355d0622f39a9b305acb7c940d6b
Formbook
+ 15'675 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:lt17 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220518-vrzaysegck/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
df8ff13e8c45ccf46d4ca18d41ca3388b458412f42ec57e98b8e8001b8154c7c
MD5 hash:
9a3170e3532966ea76da633dc7fcb858
SHA1 hash:
f63f12ec183db0f652f5ea6af251b59a46e2120d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/83aa1440-f835-4191-a4b1-21fcb7bada5f/
Parent samples :
58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7
107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84
44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c
SH256 hash:
873c37d98084997912a32bc49c8c09a673c8854620271b4d5a4ab71dcdae69e8
MD5 hash:
58c3f5962aa27bb648850ca9b758f82c
SHA1 hash:
51cb0922c11c2ca3d77cf7acd5a899e6d3bc8d8f
Link:
https://www.unpac.me/results/83aa1440-f835-4191-a4b1-21fcb7bada5f/
SH256 hash:
58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7
MD5 hash:
dd6738b8bd7f1450c7c21f6bd71b6fa2
SHA1 hash:
db37f6e58a8f940986fee6e2d9b5f3d2fff68a77
Link:
https://www.unpac.me/results/83aa1440-f835-4191-a4b1-21fcb7bada5f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58dc8fe30464/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/272187/
  
URLhaus
https://urlhaus.abuse.ch/url/2201081/

Comments