MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6575fefaef5564a290a1fd996e759f8d1b8f740256ae8a066170daf3accf69de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6575fefaef5564a290a1fd996e759f8d1b8f740256ae8a066170daf3accf69de
SHA3-384 hash: c1899e90d5414ac81f000d940c41e9b1f73d8c1fead80a642ff6964f549c8033b2fdc16398b486d1b80291ce9c4bd919
SHA1 hash: 659888ff7b3b7d44d11fc79d7a74326a3247ecba
MD5 hash: 6f30eed6ff1f5c70285f5bf5ecccf260
humanhash: item-helium-music-vermont
File name:6f30eed6ff1f5c70285f5bf5ecccf260.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:709'120 bytes
First seen:2021-08-30 16:13:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:5rcX67FuOR6d/6+UQBtMzftsTTos14IxsmCNn:5rcX6p+ptMzftaTn1RCNn
Threatray 8'638 similar samples on MalwareBazaar
TLSH T1E6E40C7F19BDA2279175C6F58BE78827F0108B6F3110692476D347264322A7AB4F336E
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 10305 .xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-30 12:04:59 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/f7aa994a-d225-4093-9748-8e7b9728739f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183845/
Detection(s):
SecuriteInfo.com.Artemis6F30EED6FF1F.15928.28183.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9685ed9f-802d-4a04-a3a7-9050f0ca3baa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841734
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474165 Sample: zSYQ5XNqbr.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 31 www.thenearshoppe.com 2->31 33 thenearshoppe.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 7 other signatures 2->47 10 zSYQ5XNqbr.exe 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\zSYQ5XNqbr.exe.log, ASCII 10->29 dropped 59 Uses netstat to query active network connections and open ports 10->59 61 Tries to detect virtualization through RDTSC time measurements 10->61 63 Injects a PE file into a foreign processes 10->63 14 zSYQ5XNqbr.exe 10->14         started        17 zSYQ5XNqbr.exe 10->17         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 19 NETSTAT.EXE 14->19         started        22 explorer.exe 14->22 injected process9 dnsIp10 49 Self deletion via cmd delete 19->49 51 Modifies the context of a thread in another process (thread injection) 19->51 53 Maps a DLL or memory area into another process 19->53 55 Tries to detect virtualization through RDTSC time measurements 19->55 25 cmd.exe 1 19->25         started        35 www.hoichoishops.com 74.208.236.245, 49738, 80 ONEANDONE-ASBrauerstrasse48DE United States 22->35 37 www.tijprintersolution.com 104.42.16.175, 49737, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->37 39 7 other IPs or domains 22->39 57 System process connects to network (likely due to code injection or exploit) 22->57 signatures11 process12 process13 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6575fefaef5564a290a1fd996e759f8d1b8f740256ae8a066170daf3accf69de/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 11:37:25 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mv2756xpkvskfefb7wmw45m7runy65ack2xiubtbodnphlgpnhpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00e599fadd6b7cd568751d9741ad77f85a7c9fdea785deed6898f348efd794fd
Formbook
49217eb71ec8276e6fdb8573c02691fa5b9de9cb14be7b82c4ec6570f78fcfdf
Formbook
6c60876d91087cbd176ff5419577f2b3315b2d3a9d9c6d11a06b95ea10d5311f
Formbook
6c8d9b097832fec5088306fabfeb26cf5aa0c67153134f4c5e356cee935f871e
Formbook
80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98
Formbook
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Formbook
d2ebab1807dd44bad7b61ac4b53e5d4e8dcdd1daa20d521c778400610fc1a252
Formbook
e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989
Formbook
e091222f766082c33c0606405115206cb2d915929dfe2ac899b1945d6442c512
Formbook
e4bf214f6939dae12a6a479bd64f129509aa74ae46033c1aee210acddb118077
Formbook
+ 8'628 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:utrf loader rat
Link:
https://tria.ge/reports/210830-43vhz9eghs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.tijprintersolution.com/utrf/
Unpacked files
SH256 hash:
7f54619a9dbc0f42c7700a93e54012d4e1ae23eb377de09fa9e9b93c2591b697
MD5 hash:
0ea4e299de4a2b6ef9874faf51631b61
SHA1 hash:
f27b47a7a4aa0ea4b5557083dc08e79981d578a6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6704577f-e938-4cf6-8c05-4b3e8befb31e/
Parent samples :
6575fefaef5564a290a1fd996e759f8d1b8f740256ae8a066170daf3accf69de
311212296fb8626d2a696cf7ef2731a6d03f44618be2597acb9f44ac46fd5087
abaca5741431ff5f4d04ac153e6d06514d1a7d92154d9ae994d253297f582930
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/6704577f-e938-4cf6-8c05-4b3e8befb31e/
SH256 hash:
69c55b69892f660b4f31f73e5e11230c2909da600cde1048a30694eab59e45cc
MD5 hash:
7a6c0a07bf2b0e462c6d82506e935ad8
SHA1 hash:
eaa45da99c47c0ec5004b2fa91d73aeefceb00ca
Link:
https://www.unpac.me/results/6704577f-e938-4cf6-8c05-4b3e8befb31e/
SH256 hash:
6575fefaef5564a290a1fd996e759f8d1b8f740256ae8a066170daf3accf69de
MD5 hash:
6f30eed6ff1f5c70285f5bf5ecccf260
SHA1 hash:
659888ff7b3b7d44d11fc79d7a74326a3247ecba
Link:
https://www.unpac.me/results/6704577f-e938-4cf6-8c05-4b3e8befb31e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/6575fefaef5564a290a1fd996e759f8d1b8f740256ae8a066170daf3accf69de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6575fefaef5564a290a1fd996e759f8d1b8f740256ae8a066170daf3accf69de

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1577630/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183845/

Comments