MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA3-384 hash: a77985d50a87290ece10c26870636625c1f13957839a7b234c0c561d0e1a051ad670f0eabbffe1d223a3aa42dd449a4e
SHA1 hash: 76598e8315496d2bfcaa35edd12f521483ff5c31
MD5 hash: 1c68b56f273eab047eccce3cbad492a5
humanhash: south-spaghetti-angel-alpha
File name:1c68b56f273eab047eccce3cbad492a5.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:906'240 bytes
First seen:2021-01-18 09:45:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:UVnwNZ2Pq05Jhv0tNCpWs6m/4XTLB3KqB7qNrMOMAMTYB9JMA:A95Jh8tNCd6m/4XT13KqZUYO/2A
Threatray 3'900 similar samples on MalwareBazaar
TLSH 7D153A3D71B44B16E4386FF44A6893CC8BBDEE5A1626DE0AFCC136F6D571B01860A613
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_MVOCEANGLORY_Inquiry.xlsx
Verdict:
Malicious activity
Analysis date:
2021-01-18 07:53:22 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader formbook stealer
Link:
https://app.any.run/tasks/14c33afc-c101-4b8a-9f3f-0ea1eb49e132

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112548/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583640
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340857 Sample: AnGaRFyL4O.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 10 AnGaRFyL4O.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\AnGaRFyL4O.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 AnGaRFyL4O.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.tribesy.net 199.34.228.77, 49736, 49769, 80 WEEBLYUS United States 17->30 32 www.quba6.com 107.149.255.161, 49766, 80 PEGTECHINCUS United States 17->32 34 20 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmd.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 09:46:06 UTC
AV detection:
9 of 44 (20.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfq25kyc47np3ipc6fxj5sep2xoomgmzewtr6itfpiweqyt24cdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
Formbook
43240f1dfbde94a0fb438b295e6ddb3ef5aa5ef82f42222312f2eb49b91f9de8
Formbook
518023c16668547a3d37cd93ca34ae6697364dd838c8538d6de80441f2b6c1bd
Formbook
63289870bb6e2bbb13afd47bf630c048e593afacc5c968939855f85ca5022ea4
Formbook
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
Formbook
b88d84be2994a05ac716dac99a689356d8c7ecbd541989a5339be403da909430
Formbook
bcba31709cecf79a6996bda8b48a9e891db6de827c852404634a96d248560ba3
Formbook
dca4c9a7846a3ebb066c08583388adeb4b05e464f20abd10409ccf47164d8635
Formbook
e2d83de235b73fa4366db562daf7a16884eb632bc00ac8d12d371bdc7a2d1c2f
Formbook
e347dfe07b91ef2835e5de0f8e47df31647be4558adbe842b244a8384f0f59d2
Formbook
+ 3'890 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210118-h2qa89cgbe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.kaiyuansu.pro/incn/
Unpacked files
SH256 hash:
fe13f25f0c030c4672222f13d6ce914b7fdd4061b260aecd70c38e73dee93a4e
MD5 hash:
5297ecec101d156aa42b8e2355ec549f
SHA1 hash:
913dede90b34ee63304fd359e3a29833baf17bbe
Link:
https://www.unpac.me/results/2280353a-69d5-4da3-a49b-8bd8f97a6957/
SH256 hash:
ceaafc5520df59919c8c50a4a8b5427481c99b0305abc7b80936ffa51b68a0e3
MD5 hash:
1e145bd1f63f373b3d98e2d6a69f2463
SHA1 hash:
f8cc7ee51b736a88149c0b3da02f99020fa74faf
Link:
https://www.unpac.me/results/2280353a-69d5-4da3-a49b-8bd8f97a6957/
SH256 hash:
b465c8881542a4611151f7789e24cf4fc1b840f048a5607f9854844b09b5aa34
MD5 hash:
c62062fce465193f9d4f5e24e50222c6
SHA1 hash:
2dbdf9ffff58871bd18a6e4b9ae49025b7a15163
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2280353a-69d5-4da3-a49b-8bd8f97a6957/
Parent samples :
6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
f991818096935708b00e812a9700a0215a1583047f2721552a9d6375abf0db75
391e2aae0e6a27817a8a57c87e89b08e69226fe11bc5b75a78dcc45597a9fcf7
5c26f9486bb9cf170e24b8b022e4a8d8eca8632b158ce0b2751b3f34c81b4221
SH256 hash:
6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
MD5 hash:
1c68b56f273eab047eccce3cbad492a5
SHA1 hash:
76598e8315496d2bfcaa35edd12f521483ff5c31
Link:
https://www.unpac.me/results/2280353a-69d5-4da3-a49b-8bd8f97a6957/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/969722/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112548/

Comments