MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ffac0ac4e9b5a57bad598ef22150b9a7d5b6f09226f664d486b6e61cce69e13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ffac0ac4e9b5a57bad598ef22150b9a7d5b6f09226f664d486b6e61cce69e13
SHA3-384 hash: 35c43db6ac7c433a008a5ad28eeeee624dffd7ac901b72b0ef44f6df01b5c8d864ed48fe117cec1c7907be4401503ef1
SHA1 hash: 6ce4eec81b5015552a69b203eda2c818047fbc8e
MD5 hash: 7f98a7ef8df1799ed620ebe0f9e9b1db
humanhash: bakerloo-sad-chicken-minnesota
File name:RQP_10378065.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:434'688 bytes
First seen:2021-02-24 14:29:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:9ibWE3WpQMV/0jfoXvXAa5EQJJfK1tqJId8dk2nJ0MoyCHoPS0zrxU3RUCj1:9ibWFQMGcfwkD2+pJAyC8hz9t4
Threatray 687 similar samples on MalwareBazaar
TLSH DC94F16DB3E5814BF76267B1483681881733BE2DBC91C30D8589361EAF337629611F76
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RQP_10378065.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 14:36:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a14d74d-fd18-41d5-9afd-1499e4279524

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118981/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616765
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected Beds Obfuscator
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 357391 Sample: RQP_10378065.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 53 www.ikescakes.com 2->53 55 ikescakes.com 2->55 57 3 other IPs or domains 2->57 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 9 other signatures 2->71 11 RQP_10378065.exe 2 2->11         started        signatures3 process4 signatures5 75 Tries to detect virtualization through RDTSC time measurements 11->75 14 RQP_10378065.exe 11->14         started        17 powershell.exe 15 11->17         started        20 WerFault.exe 23 9 11->20         started        process6 file7 83 Modifies the context of a thread in another process (thread injection) 14->83 85 Maps a DLL or memory area into another process 14->85 87 Sample uses process hollowing technique 14->87 89 Queues an APC in another process (thread injection) 14->89 22 explorer.exe 3 14->22 injected 47 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 17->47 dropped 49 C:\Users\user\...\Drivers.exe:Zone.Identifier, ASCII 17->49 dropped 91 Drops PE files to the startup folder 17->91 93 Powershell drops PE file 17->93 26 conhost.exe 17->26         started        51 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->51 dropped signatures8 process9 dnsIp10 59 www.moment.email 5.45.111.174, 49758, 80 NETCUP-ASnetcupGmbHDE Germany 22->59 61 www.comriv.com 23.82.12.31, 49743, 80 LEASEWEB-USA-WDCUS United States 22->61 63 18 other IPs or domains 22->63 73 System process connects to network (likely due to code injection or exploit) 22->73 28 cscript.exe 22->28         started        31 Drivers.exe 2 22->31         started        33 autochk.exe 22->33         started        signatures11 process12 signatures13 77 Modifies the context of a thread in another process (thread injection) 28->77 79 Maps a DLL or memory area into another process 28->79 81 Tries to detect virtualization through RDTSC time measurements 28->81 35 cmd.exe 1 28->35         started        37 powershell.exe 18 31->37         started        39 WerFault.exe 9 31->39         started        41 Drivers.exe 31->41         started        process14 process15 43 conhost.exe 35->43         started        45 conhost.exe 37->45         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5ffac0ac4e9b5a57bad598ef22150b9a7d5b6f09226f664d486b6e61cce69e13/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 14:18:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
7 of 48 (14.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l75mblcotnnfpowvtdxsefiltj6vw3yjejxwmtkinnxgdthgtyjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05c3b01f3f582815a9a5c99845273306a23302342adf5215c7fb817e963cc4e0
Formbook
201af2ab950f9aefa7da227b0efdfe0bc005ca77c9ab0284549b081cced51e52
Formbook
4d7785dcd99beca572613788bc8b0713ddda6da0c8df321b1402bc38e6880f88
Formbook
6a37a2a65393b805bbe4e7e4e42b642da433e9caa7436aaeb9df8ab0fc6679b9
Formbook
8cbda95915fcb9696e4e221cdb72f9dc9175af27e348f05bede3f988aee9070c
Formbook
92737036f323b1c72064c1e8038a942266435048a3ce4847f7e5b29558376c1c
Formbook
ad855c55e13ef5274a20805a3836b508c29cae12d0a2de2807aed08ed4090ddd
Formbook
bf07178f2c85eed5d1e0feafc5c312fce344c6ad7666b5be2abf736e6af94169
Formbook
d8ae48ff83b31d072c1a9d988660e2a0be125aa9373a4adb1dd807d0fea4ebe5
Formbook
e096e858f6e33e79359f9be68c43cdb8536c99a6282adb420496e11b12a4aa4c
Formbook
+ 677 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210224-345hgpzr2j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Drops startup file
Beds Protector Packer
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.unicom-group.com/mt6e/
Unpacked files
SH256 hash:
a66d610d255539ab4fd58adec682842d977f15c83ec141f25a2bcb03023aa27d
MD5 hash:
0121eb66a766cb27df26bb50a6cd490f
SHA1 hash:
3264af13f8319ec07ab809559ff9cec10db9d944
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/76287e1e-987b-45ef-bbd1-c9d2de5c4339/
Parent samples :
36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
80530706a080d68ebd18bcf85dae9dbe6477c39d7e4aa7381a1c73902c344201
5ffac0ac4e9b5a57bad598ef22150b9a7d5b6f09226f664d486b6e61cce69e13
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/76287e1e-987b-45ef-bbd1-c9d2de5c4339/
SH256 hash:
7e473d18472e50deefe6cd4129fd70b836e8c4402acc4de999c25ae34427b8fc
MD5 hash:
6d70e8e789ce96ec486c34d9e0e3bd86
SHA1 hash:
1ee401102619b7889d4471b08de2f6854ca60c4d
Link:
https://www.unpac.me/results/76287e1e-987b-45ef-bbd1-c9d2de5c4339/
SH256 hash:
5ffac0ac4e9b5a57bad598ef22150b9a7d5b6f09226f664d486b6e61cce69e13
MD5 hash:
7f98a7ef8df1799ed620ebe0f9e9b1db
SHA1 hash:
6ce4eec81b5015552a69b203eda2c818047fbc8e
Link:
https://www.unpac.me/results/76287e1e-987b-45ef-bbd1-c9d2de5c4339/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/118981/

Comments