MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 686a52a491b7e31fb584231e38ed6ac4c1821a5843464ffd537c6288ef8427a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 686a52a491b7e31fb584231e38ed6ac4c1821a5843464ffd537c6288ef8427a1
SHA3-384 hash: c1444d9ca93dc62a5329d00f32e632e5e60430d0802f2fb551ce88de21fea0aabba89f2e139678ba85d521ec0894f802
SHA1 hash: e4048e816f524eee6b307e4cbc66e508bec761bd
MD5 hash: 318f4d702f97b8d7fbc1a1fddfab81ae
humanhash: cup-lemon-queen-cola
File name:318f4d702f97b8d7fbc1a1fddfab81ae.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:907'264 bytes
First seen:2021-04-30 06:06:42 UTC
Last seen:2021-04-30 07:05:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:/tC6DSdbGVqcfWlbkPrADLvsmRkdKi5B39ZLtIDLg:QbGeoPraLkAkdKe97I
Threatray 4'938 similar samples on MalwareBazaar
TLSH CF1501263794EA64E07D13F958B1914147B4FD927A22C30C7ED8639C0EB37D2867B3A2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147212/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.688-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/704085
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 400966 Sample: krJF4BtzSv.exe Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 10 krJF4BtzSv.exe 5 2->10         started        process3 file4 28 C:\Users\user\AppData\...\krJF4BtzSv.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 krJF4BtzSv.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.planbeee.com 192.185.0.218, 49743, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 avenew.pro 50.116.88.120, 49729, 80 UNIFIEDLAYER-AS-1US United States 17->32 34 17 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 explorer.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/686a52a491b7e31fb584231e38ed6ac4c1821a5843464ffd537c6288ef8427a1/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 19:37:17 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbvffjerw7rr7nmeempdr3lkytayegsyinde77ktprrir34ee6qq._file
Verdict:
malicious
Similar samples:
01476f904e668758ea516e84f359d6d0a4d85dadc179a51788a214ea46ff9dec
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
397fd95899f186c1385818c6b996f4cb410e266a84b2c134104d01675a822e27
Formbook
489e0e46a5df58a3144cd7a3ecb1fd0e29aa2db5060084ec774f1d2c8c763fd9
Formbook
9a078cc450ad8a112283812c97c397a6440275925cde819407320829c655ba62
Formbook
b0762ca49381026932f488d2a816a18639c410ba45f456014861ac66b9b3f4e6
Formbook
bc88f7ce08e0f3cd87267fff8188fbdfa3fc9e733db9775d5f06eff82a39a3d6
Formbook
d86dafa5f676c411da4770e51dd034590dbe6dbac01ca90e0c5015a17b363b75
Formbook
edff9b174a171438f2433112957718f27abe1a825bfb7694362270d362c78911
Formbook
f45a023c86d834183f3073c05227d6f40686aef4a71b3893b823be493d7aae83
Formbook
+ 4'928 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210430-ynnjfd55z6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.liancaiwangv5.com/oerg/
Unpacked files
SH256 hash:
11cf5a51e593c007ff4f91294cf505ffd5e425e56387c60d81e6479cc284cc3b
MD5 hash:
73cc3f7e7700e6a54cb5f291dffe5aa1
SHA1 hash:
09174f9fa55c9bac0540efb7a8c682878a32d02d
Link:
https://www.unpac.me/results/a2344cb2-3a44-4f9a-a593-9f01acf203ef/
SH256 hash:
686a52a491b7e31fb584231e38ed6ac4c1821a5843464ffd537c6288ef8427a1
MD5 hash:
318f4d702f97b8d7fbc1a1fddfab81ae
SHA1 hash:
e4048e816f524eee6b307e4cbc66e508bec761bd
Link:
https://www.unpac.me/results/a2344cb2-3a44-4f9a-a593-9f01acf203ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/686a52a491b7e31fb584231e38ed6ac4c1821a5843464ffd537c6288ef8427a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 686a52a491b7e31fb584231e38ed6ac4c1821a5843464ffd537c6288ef8427a1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/147212/
  
URLhaus
https://urlhaus.abuse.ch/url/1184297/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 07:03:38 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing