MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bdb733cb3f2afe0506cd8959953fd4ade7efaf636e211f99fd6c6aea06e3bdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bdb733cb3f2afe0506cd8959953fd4ade7efaf636e211f99fd6c6aea06e3bdd
SHA3-384 hash: fad02323feed6e88ee44e7c102013835b395a3f12231f899cd71a67a898ff934ae427e6ea188ed648cba12cab75652f8
SHA1 hash: fb70173b28263a23852622c056cbd8bdb61a06db
MD5 hash: 73ab727d65a56573c3aa9c25f5d99286
humanhash: washington-aspen-mockingbird-arkansas
File name:73ab727d65a56573c3aa9c25f5d99286
Download: download sample
Signature Formbook
Create hunting rule
File size:375'296 bytes
First seen:2022-02-15 20:57:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:ffiLBpUSPznChSw5KOxijo2uq+hBs12wef7d0wc050j2qTT9T4gIxs0ZSDzmX0ZA:HsBpbuo+T47uFhK1Jef7d0wc06j1p4gQ
Threatray 13'462 similar samples on MalwareBazaar
TLSH T1FD840292AE5F4602C928433A9FB3A70497F1A9AA9CD3C31F552760B44D7FB593D812CC
File icon (PE):PE icon
dhash icon b2cccc3232cccd32 (1 x Formbook, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241744/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620c13e4875593a3ccd2634b/reports/eb97ba9e-78c8-4f8f-992d-a8313afa74e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d9d69a06-d9e9-4218-afb5-38f26f269a64
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940415
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 572889 Sample: Ekz47IhRig Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 53 www.kjotsk.com 2->53 55 google.com 2->55 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 3 other signatures 2->79 11 Ekz47IhRig.exe 1 6 2->11         started        signatures3 process4 dnsIp5 61 google.com 172.217.168.14 GOOGLEUS United States 11->61 63 192.168.2.1 unknown unknown 11->63 47 C:\Users\user\AppData\Local\huss.exe, PE32 11->47 dropped 49 C:\Users\user\...\huss.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\...kz47IhRig.exe.log, ASCII 11->51 dropped 95 Tries to detect virtualization through RDTSC time measurements 11->95 97 Injects a PE file into a foreign processes 11->97 16 Ekz47IhRig.exe 11->16         started        19 conhost.exe 11->19         started        file6 signatures7 process8 signatures9 65 Modifies the context of a thread in another process (thread injection) 16->65 67 Maps a DLL or memory area into another process 16->67 69 Sample uses process hollowing technique 16->69 71 Queues an APC in another process (thread injection) 16->71 21 explorer.exe 16->21 injected process10 process11 23 huss.exe 4 21->23         started        27 msdt.exe 21->27         started        29 huss.exe 3 21->29         started        31 autochk.exe 21->31         started        dnsIp12 57 google.com 23->57 81 Antivirus detection for dropped file 23->81 83 Multi AV Scanner detection for dropped file 23->83 85 Tries to detect virtualization through RDTSC time measurements 23->85 87 Injects a PE file into a foreign processes 23->87 33 conhost.exe 23->33         started        35 huss.exe 23->35         started        89 Self deletion via cmd delete 27->89 91 Modifies the context of a thread in another process (thread injection) 27->91 93 Maps a DLL or memory area into another process 27->93 37 cmd.exe 1 27->37         started        59 google.com 29->59 39 conhost.exe 29->39         started        41 huss.exe 29->41         started        43 huss.exe 29->43         started        signatures13 process14 process15 45 conhost.exe 37->45         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6bdb733cb3f2afe0506cd8959953fd4ade7efaf636e211f99fd6c6aea06e3bdd/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 13:47:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3
Formbook
31168981af16e0fc209774a91e04e5aaf622cacbed12e970b7a35db0705174d6
Formbook
5dde67093b891df286e998912557fa598ebebc662bb30252fbe9ce7798e50242
Formbook
79215526b0229696bf3961e09918bca444cb43b079ca70834c54db52c49c51ac
Formbook
9767d52eebfbf17f2e549a57d68d7f11c199af327eeb20542b39485f883f61e1
Formbook
a0498dad46971848cf7b2bde020f6ac1ce8bd8508aaf920a2616063098acd6d2
Formbook
b972dfd3f5fd6142b67366d223c0056b75d3d93538a7c05ce35e27ad1c9541ed
Formbook
e8720afe9895124761086a0f00aa515997015669cc5332aebe99d5ea02ca7377
Formbook
+ 13'452 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:xqqm loader persistence rat
Link:
https://tria.ge/reports/220215-zr6ggsabd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
a9771b4981da1efceb555981909524314b2cef59146163cb5f6aad8141575f26
MD5 hash:
4cac4603c1111def3a645a168fd4d225
SHA1 hash:
535595d2bdc6790bed1c686f35a1628e47fc002a
Link:
https://www.unpac.me/results/eab41687-830b-4637-9b12-d8f367b52d65/
SH256 hash:
890f89a1e0538761d7fa5361d5103f884dfa5b7a15e12cd9998f17e7a12da4bc
MD5 hash:
a778db1d8c5decc55baaa6d94819ec27
SHA1 hash:
bb348864b79f8b029891869c8b1b7848642eef7c
Link:
https://www.unpac.me/results/eab41687-830b-4637-9b12-d8f367b52d65/
SH256 hash:
0fa473ee5057a9f0563d1e7e75bec627a227ccd69504f6f1e84f476b92f7c2da
MD5 hash:
59a0d044c1b1548aa79e1ceec47c3c70
SHA1 hash:
442dce5a6c268abd02b81fd6262e93aee61e62d0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/eab41687-830b-4637-9b12-d8f367b52d65/
SH256 hash:
6bdb733cb3f2afe0506cd8959953fd4ade7efaf636e211f99fd6c6aea06e3bdd
MD5 hash:
73ab727d65a56573c3aa9c25f5d99286
SHA1 hash:
fb70173b28263a23852622c056cbd8bdb61a06db
Link:
https://www.unpac.me/results/eab41687-830b-4637-9b12-d8f367b52d65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bdb733cb3f2afe0506cd8959953fd4ade7efaf636e211f99fd6c6aea06e3bdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6bdb733cb3f2afe0506cd8959953fd4ade7efaf636e211f99fd6c6aea06e3bdd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2044598/
Cape
Cape
https://www.capesandbox.com/analysis/241744/

Comments


Avatar
zbet commented on 2022-02-15 20:57:49 UTC

url : hxxp://107.174.138.144/dey/men.exe