MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66c846022acacc0aaa6c5a6ff2f69985ff799b390108ef0e31b5629843309ec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66c846022acacc0aaa6c5a6ff2f69985ff799b390108ef0e31b5629843309ec1
SHA3-384 hash: 5e16245ff69edcf865ff443af243d25f81a81b66a60bb8c9487cf3c5028e8edd85deb44036173ef25243ce385d142800
SHA1 hash: 8e1a456b050635bc4ed37229ee52347cb7abfc1c
MD5 hash: 02d957fb8e0cc4ab8c12a0e5445eefcd
humanhash: social-venus-social-gee
File name:02d957fb8e0cc4ab8c12a0e5445eefcd
Download: download sample
Signature Formbook
Create hunting rule
File size:978'944 bytes
First seen:2022-07-25 06:02:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:1VSwss0DzgXrXk03ZtPUAGMIBRlHvuMYsmb5ddnmv5wUavNHG+hx2iHx8k31hBUH:1V7T3ZtPqWMLmVrnxbxF
TLSH T17F25E1BE31A0B5DFC827CD7289A52C58AA10707B672BD207A05715ADDA4D6DBCF102F3
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/293878/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44349.11880.14868-222265.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62de321d5c40cd8dc5ec32b7/reports/6b767743-62e7-470a-b6fd-53e1b5653913/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16773625-aa82-45fb-971e-e0224d584c96
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040145
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 672639 Sample: 114bWebu5M Startdate: 25/07/2022 Architecture: WINDOWS Score: 100 34 www.healthbrainbody.com 2->34 36 td-ccm-168-233.wixdns.net 2->36 38 2 other IPs or domains 2->38 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 11 114bWebu5M.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\114bWebu5M.exe.log, ASCII 11->32 dropped 56 Detected unpacking (changes PE section rights) 11->56 58 Detected unpacking (overwrites its own PE header) 11->58 60 Tries to detect virtualization through RDTSC time measurements 11->60 62 Injects a PE file into a foreign processes 11->62 15 114bWebu5M.exe 11->15         started        18 114bWebu5M.exe 11->18         started        signatures6 process7 signatures8 64 Modifies the context of a thread in another process (thread injection) 15->64 66 Maps a DLL or memory area into another process 15->66 68 Sample uses process hollowing technique 15->68 70 Queues an APC in another process (thread injection) 15->70 20 explorer.exe 15->20 injected process9 process10 22 msdt.exe 20->22         started        signatures11 50 Modifies the context of a thread in another process (thread injection) 22->50 52 Maps a DLL or memory area into another process 22->52 54 Tries to detect virtualization through RDTSC time measurements 22->54 25 explorer.exe 89 22->25         started        28 cmd.exe 1 22->28         started        process12 dnsIp13 40 192.168.2.1 unknown unknown 25->40 30 conhost.exe 28->30         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66c846022acacc0aaa6c5a6ff2f69985ff799b390108ef0e31b5629843309ec1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 09:39:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m3eemarkzlgavktmljx7f5uzqx7xtgzzaeeo6drrwvrjqqzqt3aq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/220725-gr2jeshga6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader payload
Xloader
Unpacked files
SH256 hash:
639d3b4681e9118751e83c431c91025cdd30b4f218be3d48115bf40c39d089ce
MD5 hash:
2acd9cdef2949a8840f9a22addb8ce7e
SHA1 hash:
38f5335bbd7f63050733ddaafb1934248f04c5d4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3b4102b9-2f6f-4bea-a4d0-cb46cf2290be/
Parent samples :
d04b778ed37e364a57dca3b1ba40dfa60435fd9b1c18da6981a386b7be04437c
f6db3a2b3160b40742b164c6bbe0496368f4fc52d1a16757a49d023f5189b428
5a9b8bab36f3ad09f3bb0ecd4939ac86bdfb331b6847986020cb9f2ad6357870
61f2a87a69b42545e21404b9d231ef83df880356dbe7a6ce320de40e3ec604eb
55d0997c1a57e39f7de4f2b571524d65069a56a063cf9be315c88a24a72e2bc1
66c846022acacc0aaa6c5a6ff2f69985ff799b390108ef0e31b5629843309ec1
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/3b4102b9-2f6f-4bea-a4d0-cb46cf2290be/
SH256 hash:
77c390234cd009d99ea79cae91fcb3c393ca981bdd80493cd01ed31faa7f06e6
MD5 hash:
1804a2b567bef16271abce8d25987770
SHA1 hash:
9269526b4cff69181565a32bf7fc5fa457a7d1ad
Link:
https://www.unpac.me/results/3b4102b9-2f6f-4bea-a4d0-cb46cf2290be/
SH256 hash:
996283715b147a94ad031f31ce510fb502da28503fd149240632ce9021823711
MD5 hash:
6a0bf73736c1731b1899fba94cd006d4
SHA1 hash:
78eb287c0a587b6d5a9715228566d200c294d1fc
Link:
https://www.unpac.me/results/3b4102b9-2f6f-4bea-a4d0-cb46cf2290be/
SH256 hash:
6e4ab0806d19614789965f425752efd28a2b4584ad3050b5d2047738495cd0cd
MD5 hash:
ab79a8b56131237cf69d1f8043aedcaf
SHA1 hash:
2246918d407593c90d37579f391e613bad942d53
Link:
https://www.unpac.me/results/3b4102b9-2f6f-4bea-a4d0-cb46cf2290be/
SH256 hash:
66c846022acacc0aaa6c5a6ff2f69985ff799b390108ef0e31b5629843309ec1
MD5 hash:
02d957fb8e0cc4ab8c12a0e5445eefcd
SHA1 hash:
8e1a456b050635bc4ed37229ee52347cb7abfc1c
Link:
https://www.unpac.me/results/3b4102b9-2f6f-4bea-a4d0-cb46cf2290be/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66c846022aca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/66c846022acacc0aaa6c5a6ff2f69985ff799b390108ef0e31b5629843309ec1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 66c846022acacc0aaa6c5a6ff2f69985ff799b390108ef0e31b5629843309ec1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2260835/
Cape
Cape
https://www.capesandbox.com/analysis/293878/

Comments


Avatar
zbet commented on 2022-07-25 06:02:59 UTC

url : hxxp://208.67.105.179/secgovernorzx.exe