MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 674ab7cd2376e31a811469d50be263894d78b14c826b02a61b7da6069481522a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 674ab7cd2376e31a811469d50be263894d78b14c826b02a61b7da6069481522a
SHA3-384 hash: f02054787a8d7700a188efbd3e1f8cf695ed8130cafe049218b0d4ac9dc45d8ba249d450a56a28d8a56d62f103939488
SHA1 hash: 1cae82745c58aa48c7ffdc0b20d478bbeba0ecad
MD5 hash: ee7727edc7e85d0527aee33712805ea0
humanhash: xray-colorado-maryland-papa
File name:ee7727ed_by_Libranalysis
Download: download sample
Signature Formbook
Create hunting rule
File size:1'798'144 bytes
First seen:2021-05-13 13:06:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:6LBAOqrevtFYCygfcX84ZJjhY+vMaQ7cssjqeqpX5LKWtz/mgoyx3:C/HYJgfcX84Z17Maqc9spplxm0x3
Threatray 5'171 similar samples on MalwareBazaar
TLSH F3859D121B050F5DF43DABBDB43A500A87F87E45F3E0EE5DB85539D827BAB028D4A252
Reporter Libranalysis
Tags:FormBook


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ee7727ed_by_Libranalysis
Verdict:
Suspicious activity
Analysis date:
2021-05-13 13:11:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14740133-d27b-415f-8f40-5670e22ac9ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156165/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/781023
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 413419 Sample: ee7727ed_by_Libranalysis Startdate: 13/05/2021 Architecture: WINDOWS Score: 100 34 www.northtlc.com 2->34 36 www.kefeiping.com 2->36 38 2 other IPs or domains 2->38 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 6 other signatures 2->54 11 ee7727ed_by_Libranalysis.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\...\ee7727ed_by_Libranalysis.exe.log, ASCII 11->32 dropped 66 Tries to detect virtualization through RDTSC time measurements 11->66 15 ee7727ed_by_Libranalysis.exe 11->15         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 74 Queues an APC in another process (thread injection) 15->74 18 explorer.exe 15->18 injected process9 dnsIp10 40 www.dirtylyxx.com 156.241.53.223, 49724, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->40 42 www.providenceoffices.com 91.195.240.94, 49739, 80 SEDO-ASDE Germany 18->42 44 12 other IPs or domains 18->44 56 System process connects to network (likely due to code injection or exploit) 18->56 22 explorer.exe 12 18->22         started        26 autoconv.exe 18->26         started        signatures11 process12 dnsIp13 46 www.nononenseforex.com 22->46 58 System process connects to network (likely due to code injection or exploit) 22->58 60 Modifies the context of a thread in another process (thread injection) 22->60 62 Maps a DLL or memory area into another process 22->62 64 Tries to detect virtualization through RDTSC time measurements 22->64 28 cmd.exe 1 22->28         started        signatures14 process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/674ab7cd2376e31a811469d50be263894d78b14c826b02a61b7da6069481522a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-13 13:09:04 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5flptjdo3rrvaiunhkqxytdrfgxrmkmqjvqfjq3pwtanfebkiva._file
Verdict:
unknown
Similar samples:
192db0da2a9f01f5b24079665f7a34b49d8ce676c635aabfcd88289eadf329d0
Formbook
2fa1b077d0c0a2f292e166dd47f72ca444ceac3c43a1936b4f9a03d7c34d032a
Formbook
5a88f2832e625232b811db9715dcbb1058f9b33ae86677a95c3482ba66f2b98f
Formbook
61b36d9d2e055b9e7be872cd42f44e78e9abfd505e5bc4e719d5b9801200d99e
Formbook
68fa77befde4e147cc7bc2fb142306a94245adb49c4ccca175f12f29414ce3d1
Formbook
8374ee95fb7b6f5d2ae642daec1fe342ed5e1fab5efe4525c900c2e4dcaa8511
Formbook
98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd
Formbook
b5e2b52a984579c7f0aa92d0acaa6eef67f06af5330857ba98a62345edd59908
Formbook
bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb
Formbook
e091222f766082c33c0606405115206cb2d915929dfe2ac899b1945d6442c512
Formbook
+ 5'161 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210513-anrhtgrc2x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.asconstructionin.com/m3rc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/156165/

Comments