MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d
SHA3-384 hash: 31cd82f8aedb55b9b9df748446f1ca0ca4584dbfccdf61ca571aa7e8a697b68b1f3c00b33066905e87cc945f48978006
SHA1 hash: 79ad709092e60e48c4864e6955a6dc9bf4f9dce6
MD5 hash: 67169c2852a353f1ee75de275bdbca92
humanhash: kentucky-twenty-seven-ten
File name:uzorak proizvoda.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'199'104 bytes
First seen:2021-08-20 10:55:58 UTC
Last seen:2021-08-20 11:52:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:SYjgge8319wMTQOK8sC8QV3wr0IFaCZsGUyA:Hjgge8319T0OKxTt0iWN
Threatray 7'847 similar samples on MalwareBazaar
TLSH T1E045493D19B91633C5B9C335EBE59463B248985FB500EE696CDE03A7031BA8735C362E
dhash icon d0a4b4c2cac0e4f4 (9 x AgentTesla, 4 x Loki, 4 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
uzorak proizvoda.exe
Verdict:
Malicious activity
Analysis date:
2021-08-20 10:57:12 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/14438a28-2a24-4688-a0d3-cab84dea0412

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180925/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.12724.13597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2765b8d5-d7a5-4f21-bdc4-cd2ab7eab9a5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836360
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468791 Sample: uzorak proizvoda.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 10 uzorak proizvoda.exe 7 2->10         started        process3 file4 33 C:\Users\user\AppData\Local\...\tmpAF6D.tmp, XML 10->33 dropped 35 C:\Users\user\AppData\Roaming\DgjcPRUL.exe, PE32 10->35 dropped 65 Writes to foreign memory regions 10->65 67 Allocates memory in foreign processes 10->67 69 Injects a PE file into a foreign processes 10->69 14 RegSvcs.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 71 Modifies the context of a thread in another process (thread injection) 14->71 73 Maps a DLL or memory area into another process 14->73 75 Sample uses process hollowing technique 14->75 77 2 other signatures 14->77 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 37 prettyprettybartending.com 108.167.140.95, 49719, 80 UNIFIEDLAYER-AS-1US United States 19->37 39 www.255135.com 166.88.19.181, 49713, 80 EGIHOSTINGUS United States 19->39 41 9 other IPs or domains 19->41 55 System process connects to network (likely due to code injection or exploit) 19->55 25 explorer.exe 12 19->25         started        signatures10 process11 dnsIp12 43 www.kaimold.com 25->43 45 kaimold.com 25->45 57 System process connects to network (likely due to code injection or exploit) 25->57 59 Modifies the context of a thread in another process (thread injection) 25->59 61 Maps a DLL or memory area into another process 25->61 63 Tries to detect virtualization through RDTSC time measurements 25->63 29 cmd.exe 1 25->29         started        signatures13 process14 process15 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 10:56:06 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzfhubp5mguc7c6my2rb366p5ejrbzafdih4p4wdlabxuir6de6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0843599494471ac72b515fc33ea317ed0b384257ff9cb2de7e93a657f9e89878
Formbook
16f669b8657b76f78a71e28f4b475856eddccfd143f2128275212b338aca8620
Formbook
1ba55b6d19b202f0a3fa11a7122a210ed0041074bf30fc754bbc87c1a793304b
Formbook
2ae08b5584e30abd315edad1daa90759d442646ade096f38b6534d00f69e811b
Formbook
45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c
Formbook
5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
Formbook
7712bd8e688370cdf586d604192cff97076b02f7eb676fa3ead70f5e55dff20f
Formbook
ab4795f656b54e9388c89d6a4df52747510fa418bdb50aa3bafd7b332ef1ff81
Formbook
eeb09100ff7eb31eb91735290de6a3cfe364b50365f4713aef21f7cf3db5744d
Formbook
+ 7'837 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:w56m loader rat
Link:
https://tria.ge/reports/210820-f2waedddrj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.recareerrecruiter.com/w56m/
Unpacked files
SH256 hash:
dcb835c1161010d6bc74d93bb5d13628b947c65976563cfcd688b152125ec735
MD5 hash:
44dd39404ad66587023e849fbf3ec2ff
SHA1 hash:
c7ff8c56aa6620bf2e82bc266d77c4a30933f72b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5db60fd9-bd90-4e5a-a636-69b85d6adb9c/
Parent samples :
0ad43fd8a30f20f600092744496b9008b6293f1c845a567d8b9ad9b9537e16cf
2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50
45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c
0843599494471ac72b515fc33ea317ed0b384257ff9cb2de7e93a657f9e89878
ccad88cfcaf9a2b65b29af3fe6b85559efe3ffcf032ada3919cfa656eef60e54
5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/5db60fd9-bd90-4e5a-a636-69b85d6adb9c/
SH256 hash:
23c49c9afbf6e1b6daf412a730fda03ac635fbba826c053c7e07a904c25a46c0
MD5 hash:
5a862d2978e58d039b5379316ff70805
SHA1 hash:
00d4a49053805d67e28cc2a32bdd8d6ca19c5810
Link:
https://www.unpac.me/results/5db60fd9-bd90-4e5a-a636-69b85d6adb9c/
SH256 hash:
5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d
MD5 hash:
67169c2852a353f1ee75de275bdbca92
SHA1 hash:
79ad709092e60e48c4864e6955a6dc9bf4f9dce6
Link:
https://www.unpac.me/results/5db60fd9-bd90-4e5a-a636-69b85d6adb9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180925/

Comments