MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3
SHA3-384 hash: 19920b26c1e1e8c7a5f6ca615b4522b19a5390c363beb86cf74cedbc89d3589773eff24ca4720774e2dffd2b7b9735f4
SHA1 hash: 304e94448a7c9097c53d1a87dfc3a783323dd049
MD5 hash: 6bf3bd003b84e7c4098642df174ef0a9
humanhash: lake-east-spring-four
File name:PCB 102021.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:368'128 bytes
First seen:2021-11-03 18:07:37 UTC
Last seen:2021-11-03 20:26:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:35s1C+Fk8mhcQ2eGyV2FI9IvrEk4yHULLtkkNEhlTqG3N:3735PwC2F8IvADsOLt7k17
TLSH T1D57402202BF83733DD3F67F92925162447B5F14A2116E3897E8A3ACF916AB514D80F63
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PCB 102021.EXE
Verdict:
Malicious activity
Analysis date:
2021-11-03 18:20:01 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/4d14fe0b-844a-4e61-b5fb-6287f84345f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201939/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.27936.23734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6182d007bf51178dbe4d388c/reports/db7c7a53-150d-431e-a590-c139e53aa929/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1522bb6c-4122-4a00-958a-0cc5d339252b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/882751
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: CMSTP Execution Process Creation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 515181 Sample: PCB 102021.EXE Startdate: 04/11/2021 Architecture: WINDOWS Score: 100 33 www.treeservice-estimate.com 2->33 35 www.riddleme.one 2->35 37 4 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 8 other signatures 2->51 11 PCB 102021.EXE 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\PCB 102021.EXE.log, ASCII 11->31 dropped 65 Injects a PE file into a foreign processes 11->65 15 PCB 102021.EXE 11->15         started        18 PCB 102021.EXE 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected process9 dnsIp10 39 www.diversifiedcontractingla.com 172.67.202.227, 49822, 80 CLOUDFLARENETUS United States 20->39 41 www.thompsonbi.com 20->41 43 9 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Performs DNS queries to domains with low reputation 20->55 24 cmstp.exe 20->24         started        signatures11 process12 signatures13 57 Self deletion via cmd delete 24->57 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-03 18:08:07 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjg7df7qchdrvsfp3lv7556bu2szrrnni7a3zplqnfokqwexrxrq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n35q loader rat
Link:
https://tria.ge/reports/211103-wqwn4sedb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.24hr.online/n35q/
Unpacked files
SH256 hash:
cd99b89e8f3867575ffdc0759f87a883341dad84ded5cc04f45334755cb05ac7
MD5 hash:
be0dfbee84dd2aee7725c3b7d81f5367
SHA1 hash:
8241781ace2b359c488feea6aa046ceaff1294fd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/37258e5e-e126-4b49-a08d-d5e6d83b3e44/
Parent samples :
dd8fdaec54b12c6195b23601689139226a7500fefbf665b1eb3cf9df3358da5a
624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3
SH256 hash:
110a28b39b1e0840684110fa77a580effce50755cb865ce9df566f1fff308d05
MD5 hash:
17d644e87b9923fb2a0ed51e7594d82f
SHA1 hash:
863600e4908ebd4ed26285e210d983d04399e600
Link:
https://www.unpac.me/results/37258e5e-e126-4b49-a08d-d5e6d83b3e44/
SH256 hash:
53c6aa57cdd033cff91d3d2feec2bdfdb1e2b004645944734d34b1ad8d9e2808
MD5 hash:
97cc9d00a6f98fb71e82763d6266346b
SHA1 hash:
4a2d82b320f0ac9ab7d5ee1d50a80d7e7fff6fba
Link:
https://www.unpac.me/results/37258e5e-e126-4b49-a08d-d5e6d83b3e44/
SH256 hash:
624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3
MD5 hash:
6bf3bd003b84e7c4098642df174ef0a9
SHA1 hash:
304e94448a7c9097c53d1a87dfc3a783323dd049
Link:
https://www.unpac.me/results/37258e5e-e126-4b49-a08d-d5e6d83b3e44/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/624df197f011/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 653c0f962f564b65191195197b7c23a6af4ab422a20af5040b6ae0fb56c43f02

Formbook

Executable exe 624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 653c0f962f564b65191195197b7c23a6af4ab422a20af5040b6ae0fb56c43f02
Cape
Cape
https://www.capesandbox.com/analysis/201939/

Comments