MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69bd3426cb69349ccb68b8ff641f05c51931a7c8a3d563c0234eab905535e031. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69bd3426cb69349ccb68b8ff641f05c51931a7c8a3d563c0234eab905535e031
SHA3-384 hash: 8981aeb4c790eeda52ff67a879fbb4dc9cd33153cd5200ecfdc2ecd7d9ff3e88bb991f4ccaa4152979baee653aa0eafa
SHA1 hash: d115dc4d73d20d2ec5a89c038f903ff26339cc72
MD5 hash: b7915ca5ea922d853ee7e8f74a72f20d
humanhash: social-hotel-montana-uniform
File name:TNT AWB 9066721066.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:899'584 bytes
First seen:2021-07-12 06:39:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:L6OS3us+DNls9lOd4+QrRdkFhCxRJx4O2BT/x9k9s4btS8GY6NXKzCkRGSogDT:L6OS3us++RJx4nHkK4bvFrR+gDT
Threatray 6'401 similar samples on MalwareBazaar
TLSH T1D01517E923BD9045F13AEBF06B1BAA474D5EB16D512D73090FB186C63822D70BB76072
Reporter abuse_ch
Tags:exe FormBook TNT

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT AWB 9066721066.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 06:42:57 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/929701ba-2152-449e-b374-dbb542e70c66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170901/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.34439.3786.30321.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aee6a911-682b-4dc7-ae68-dc0686b0c0b0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814552
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446963 Sample: TNT AWB 9066721066.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 11 other signatures 2->50 9 TNT AWB 9066721066.exe 7 2->9         started        process3 file4 30 C:\Users\user\AppData\Roaming\ghTOioj.exe, PE32 9->30 dropped 32 C:\Users\user\...\ghTOioj.exe:Zone.Identifier, ASCII 9->32 dropped 34 C:\Users\user\AppData\Local\...\tmp62A9.tmp, XML 9->34 dropped 36 C:\Users\user\...\TNT AWB 9066721066.exe.log, ASCII 9->36 dropped 60 Injects a PE file into a foreign processes 9->60 13 TNT AWB 9066721066.exe 9->13         started        16 schtasks.exe 1 9->16         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Maps a DLL or memory area into another process 13->64 66 Sample uses process hollowing technique 13->66 68 Queues an APC in another process (thread injection) 13->68 18 msiexec.exe 13->18         started        21 explorer.exe 13->21 injected 24 conhost.exe 16->24         started        process8 dnsIp9 52 Modifies the context of a thread in another process (thread injection) 18->52 54 Maps a DLL or memory area into another process 18->54 56 Tries to detect virtualization through RDTSC time measurements 18->56 26 cmd.exe 1 18->26         started        38 www.youwatchfreemovie.com 91.195.240.68, 49733, 80 SEDO-ASDE Germany 21->38 40 www.annmvnila.icu 172.67.130.53, 49736, 80 CLOUDFLARENETUS United States 21->40 42 5 other IPs or domains 21->42 58 System process connects to network (likely due to code injection or exploit) 21->58 signatures10 process11 process12 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/69bd3426cb69349ccb68b8ff641f05c51931a7c8a3d563c0234eab905535e031/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 03:47:28 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ng6tijwlne2jzs3ixd7wihyfyumtdj6iupkwhqbdj2vzavjv4ayq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e
Formbook
2eb57ff3dfafc142e693dd878044f38cb02090cbef35246b2525d19abf0fbaf5
Formbook
a0b018fb2193eec4f61de14d4d60b1cae8ba46b2cabfc704d59ac6d134dbf4e5
Formbook
a4ed754c1a38fd8fc24bb4ec7f5da899c254df070bcc8cfd7b16778701c4b72d
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
d3501787751324e615bd13ed80417360fbd7558385662ac34c51b34802f9b9d4
Formbook
de49b28cd6dd83f9d44c2f649ad7850cff63ef6a9b3890766f164e7472085809
Formbook
e1fee7ee20f6d3bd6e913baeae737c558014454223d552c125c3f963e7c1a843
Formbook
ebb6267e5c3bf10ec8ccba29d6fd2c7b747cef8b758db1544caf9edc7f117d7b
Formbook
fb2b5f7805523f8e675cf06f611c9429e657f4f0af111bf4959627e6183ddc48
Formbook
+ 6'391 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210712-sp4grsd78x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.xn--vcsr9nd2hesf.com/g820/
Unpacked files
SH256 hash:
666d803768a8369e7218a05a6a7f737bbdb9feed385d16cbd2e3183ded089b5b
MD5 hash:
fc62a89fcb498fb7399774e34e1fe0ef
SHA1 hash:
d29571fa2659ecb6ca48543ff402e71680095f4f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd3ec3a6-d49c-42d8-8b06-144307b54fd3/
SH256 hash:
7f83467997b08af9e2927f91e3bf0efa1e54200b7e47bed985b55323aba7c225
MD5 hash:
f4f5dd229db8629750872a8f5e4b88ed
SHA1 hash:
56f12bb317104bc3c2404b58bfe9ca126a37c194
Link:
https://www.unpac.me/results/bd3ec3a6-d49c-42d8-8b06-144307b54fd3/
SH256 hash:
9470ca32bd526d4c7ead883373b3853a656b98a0d88c1eacdd9b963a15ae8933
MD5 hash:
9f3dec142d8efb452525f1eab5e2df8e
SHA1 hash:
49cfe0ab0b2140015dd42d02533571083c7611f3
Link:
https://www.unpac.me/results/bd3ec3a6-d49c-42d8-8b06-144307b54fd3/
SH256 hash:
a1cf3a374639374ab5880b67bad40919ae3218a6b2b8eeae9c53875e9efa433b
MD5 hash:
03087ca0fce0d0c8ae603bdb437aea79
SHA1 hash:
144772944cf1b4474a553dbba47b2d8b66814423
Link:
https://www.unpac.me/results/bd3ec3a6-d49c-42d8-8b06-144307b54fd3/
SH256 hash:
69bd3426cb69349ccb68b8ff641f05c51931a7c8a3d563c0234eab905535e031
MD5 hash:
b7915ca5ea922d853ee7e8f74a72f20d
SHA1 hash:
d115dc4d73d20d2ec5a89c038f903ff26339cc72
Link:
https://www.unpac.me/results/bd3ec3a6-d49c-42d8-8b06-144307b54fd3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69bd3426cb69349ccb68b8ff641f05c51931a7c8a3d563c0234eab905535e031

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170901/

Comments