MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb
SHA3-384 hash: 7e69029264a781c6de586a42aa49a37c90161f60bcc814de7d311b804d30d564246e896c3bb0193e6f7f21dac0b2457a
SHA1 hash: 801ddf2c2722a0eff80bf265f18f830685165b48
MD5 hash: 0cddcba98a1753800fef1ad482b85c69
humanhash: lamp-pizza-lion-ink
File name:PO SPLACK DEC2021764534523,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:989'696 bytes
First seen:2021-12-15 21:20:22 UTC
Last seen:2021-12-15 22:43:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:XX76/lQcxRvAU8AoLSFLWcw39C0/xFq3SK3:H7QQcrAU8oFI39C0LrK3
Threatray 12'890 similar samples on MalwareBazaar
TLSH T1ED25231A678906D9C54C4B7A083379C053BBFE6F63B9E64EED4EF0952AB33060493D16
File icon (PE):PE icon
dhash icon 00870d1848c4cc20 (27 x RemcosRAT, 6 x Formbook, 1 x NanoCore)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214393/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.7259.5277.26840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware obfuscated packed
Link:
https://www.filescan.io/uploads/61ba5c4045ca64e57f127966/reports/015fe5ad-b87f-4a28-ab99-18149a1a823b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8103afc-d079-4ee3-b2ab-ce11d61ad04d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908120
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540594 Sample: PO SPLACK DEC2021764534523,... Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 31 www.mail2themax.com 2->31 33 www.belaventa.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 7 other signatures 2->47 11 PO SPLACK DEC2021764534523,pdf.exe 3 2->11         started        signatures3 process4 process5 13 PO SPLACK DEC2021764534523,pdf.exe 11->13         started        16 PO SPLACK DEC2021764534523,pdf.exe 11->16         started        signatures6 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 18 explorer.exe 13->18 injected process7 dnsIp8 35 www.nanujyr.xyz 18->35 37 vroverseaseducation.com 103.129.97.199, 49849, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 18->37 39 11 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 colorcpl.exe 18->22         started        25 autofmt.exe 18->25         started        signatures9 process10 signatures11 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 27 cmd.exe 1 22->27         started        process12 process13 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 21:21:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgkyut7dzfwacxgygulu5dwkdq3jz5ptjlox4pz25xpdiirz7c5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15e4f50b213a1cc5545dd4a173eabfed7f2ea6019117fdc374ef1514632bdb55
Formbook
48f6e66bd79f4963bd12037988a93f1708a63e4caa7e17a0ba7cc11fdb90076b
Formbook
5d407049f81d3b75bf2d9eb7dc14662f533b1ca37d283e5ef50e001a7ac1f758
Formbook
5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9
Formbook
64a668add3d7f3bbcc0ef6acb25529c70df773d74e7e17a4a8fd8c95e81ee8bd
Formbook
8fb0895d475560584335f48db057beb1840bbf685f180f46c53eb8aa8d8ec676
Formbook
9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490
Formbook
dce5f044b1f4396f33c3574667169dcbdeb3aebb037c9f53d7a8c38e095f576d
Formbook
e146d9fee7645fc19d995f9d018cac7d0070acf5399128b8435e8532df423921
Formbook
ebae4c196d8a58491f149c1f561b8dfcb7286b5b5e14ee85bd2393a968a498b9
Formbook
+ 12'880 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nrve loader rat suricata
Link:
https://tria.ge/reports/211215-z7bbaabdem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
d0eca5257ea69fb4df2b686ee10d13a8780fd966e37753f5e0ad8a25a5ede0eb
MD5 hash:
2bbd44f6c661516f39f19dc00a6f4052
SHA1 hash:
55ecf41b05f0f2e9368dd35fa8c4049e01d74399
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2bf3404e-77d2-4827-9859-de7a6d2a654d/
Parent samples :
61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb
1a754df19cdce289a20f1cdcbdc054311d57300b49168e9b7fb05e357fd7dcd5
SH256 hash:
6bade67fef0ee64048ff513cfee917b70510a07cfae0d3075c9133eb155d9b32
MD5 hash:
d6ddbfcf12f23156dd9d77efc064840e
SHA1 hash:
ba74534cfa3fb1bdbc734e0058f04972bbdc8715
Link:
https://www.unpac.me/results/2bf3404e-77d2-4827-9859-de7a6d2a654d/
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/2bf3404e-77d2-4827-9859-de7a6d2a654d/
SH256 hash:
61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb
MD5 hash:
0cddcba98a1753800fef1ad482b85c69
SHA1 hash:
801ddf2c2722a0eff80bf265f18f830685165b48
Link:
https://www.unpac.me/results/2bf3404e-77d2-4827-9859-de7a6d2a654d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/61958a4fe3c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/214393/

Comments