MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b
SHA3-384 hash: 85c1d9674ee93e55a4a5ab68d4b8b24e10b25ad17b3148cb9f7dce0f9b7b675323c371ffccbdec68bfd64067facbf912
SHA1 hash: 22a3f4dceee7b5f63e9e940a435412362f947878
MD5 hash: 57d59a3b3d87c9e5808da7ad2b013955
humanhash: nebraska-nebraska-vegan-cat
File name:SNO22 595406_RACX-159814.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:757'760 bytes
First seen:2022-01-25 14:18:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:+iiiiE9WfXGd3334rsurXfjGkOOFn9avBfMIhQa:+xfXk3334wcjGkrWfhR
Threatray 12'930 similar samples on MalwareBazaar
TLSH T144F401317FD25719CB4FCBB44D796C2053B9F89A3858CB6F894AADD912287D60720B23
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SNO22 595406_RACX-159814.exe
Verdict:
Malicious activity
Analysis date:
2022-01-26 00:50:26 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b35d0762-8bc9-43ed-bbb4-158257989ece

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222521/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1166.8528.5739.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed print.exe replace.exe
Link:
https://www.filescan.io/uploads/61f006eaf81da814afa427fb/reports/99b3c0ba-d0ad-4c08-8edc-b9dd0c39bcf5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d1cd295-f33e-41d4-835c-217347a6f658
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927181
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 05:21:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ld5uoesl6spudeeffoxmqy5pap3tefwlxjs4p2vfe73oyzqs4qvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
204831bda7d04f0905f7bf0c39e45b3772935726d8a436ee9703a19098b37e21
Formbook
41baa5cad8fb3ecbaa97116421042ba41a024823638e9b7608c5ac2e2a339525
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a
Formbook
5ec2107b1399b50f3ed23e72228f1a74ab9898191a23431c8a4cbff7b73af998
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
9e4e02725cde43b4da85cdf054b11ad0e4a622bb54f4a967b1634ebcaea9666a
Formbook
d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2
Formbook
f582c02bb98e8313554fabf4fbe11f88157ae4f016f3680fb19d0b72d475e12a
Formbook
+ 12'920 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p8ce loader rat suricata
Link:
https://tria.ge/reports/220125-rmt9naghgj/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
ccb5f0b543560f4a5cd65e4b22502bf80ddc82c8e3eb184acc28a28bc844b4b5
MD5 hash:
4ebd9d3b5bb46e5e601cc40aa605bbfa
SHA1 hash:
e6a285910a8a34c50543a1630c28a15f7d1a2752
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f3557f6-e7d3-4e52-9139-8984363bad32/
Parent samples :
4724b55ca938b0bbdc393ddfecec9ccad30b911490e9fc1922546596526cdb04
22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a
d80d56cfde862aefb9ea4a4195b12cafc5e93f60bb13d2e1a8a1a5b6fe49d9c5
58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b
af662c52d97d2590fa9a275d02feaf5aab3c18365e002a288efd862bd09aa6b4
SH256 hash:
1272066bcb190f4a5063c7149c97764af58a9d18a7d05c498e949035278c65ba
MD5 hash:
7b25ad246d7513d590b7811ef5b76b40
SHA1 hash:
88d154682bb569c8c3548943a6485a5dea2627f6
Link:
https://www.unpac.me/results/7f3557f6-e7d3-4e52-9139-8984363bad32/
SH256 hash:
f94ff7b05d6835c87b6ef6500490591bb5598e0d3f7d562c0b0edf7fa5b69993
MD5 hash:
d91d20198605b6cce4305b23a13d4582
SHA1 hash:
2dbd7b76b04ac136065bb33e2518889728fb0025
Link:
https://www.unpac.me/results/7f3557f6-e7d3-4e52-9139-8984363bad32/
SH256 hash:
58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b
MD5 hash:
57d59a3b3d87c9e5808da7ad2b013955
SHA1 hash:
22a3f4dceee7b5f63e9e940a435412362f947878
Link:
https://www.unpac.me/results/7f3557f6-e7d3-4e52-9139-8984363bad32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/222521/

Comments