MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c00f2f1868618cf3ccb1e056bbdfabb89ac201b28dcb819af71258557648c9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c00f2f1868618cf3ccb1e056bbdfabb89ac201b28dcb819af71258557648c9e
SHA3-384 hash: 39765cb338e029f3dbae9ddbad01c54b003ffb6d09e1978b86a1117753c2a83c1033cc27dfd264dccab0bb749c32ea45
SHA1 hash: 9373cfa41a0edcb55badddc4dda46d0a984ac080
MD5 hash: 81d2b37a620fa7eceef3506db6981ea5
humanhash: red-lithium-football-hotel
File name:urgent payment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:895'488 bytes
First seen:2022-02-14 09:08:56 UTC
Last seen:2022-02-14 11:44:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'240 x SnakeKeylogger)
ssdeep 24576:1hDQ+98soT8IsblLAKGUKB1/dkE1pACma2A8GXY:1t9OsBLAKM/dkE5m2jo
Threatray 13'258 similar samples on MalwareBazaar
TLSH T1C81502013BEAAB23C2AB0F7BE4B2424157B0D94A5157E77B94D036EC5C8B3694E71339
File icon (PE):PE icon
dhash icon f8a4b2b4b4b4b2c0 (20 x AgentTesla, 8 x Loki, 6 x Formbook)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241331/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.20320.20127.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Gathering data
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35377035-b80e-4a90-a186-0ad0ee32194f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939215
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 571693 Sample: urgent payment.exe Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 8 other signatures 2->41 10 urgent payment.exe 3 2->10         started        process3 file4 33 C:\Users\user\...\urgent payment.exe.log, ASCII 10->33 dropped 53 Injects a PE file into a foreign processes 10->53 14 urgent payment.exe 10->14         started        17 urgent payment.exe 10->17         started        19 urgent payment.exe 10->19         started        signatures5 process6 signatures7 55 Modifies the context of a thread in another process (thread injection) 14->55 57 Maps a DLL or memory area into another process 14->57 59 Sample uses process hollowing technique 14->59 61 Queues an APC in another process (thread injection) 14->61 21 explorer.exe 14->21 injected process8 signatures9 43 Uses netsh to modify the Windows network and firewall settings 21->43 24 netsh.exe 21->24         started        process10 signatures11 45 Self deletion via cmd delete 24->45 47 Modifies the context of a thread in another process (thread injection) 24->47 49 Maps a DLL or memory area into another process 24->49 51 Tries to detect virtualization through RDTSC time measurements 24->51 27 cmd.exe 1 24->27         started        29 explorer.exe 1 148 24->29         started        process12 process13 31 conhost.exe 27->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c00f2f1868618cf3ccb1e056bbdfabb89ac201b28dcb819af71258557648c9e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 09:09:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqapf4mgqymm6pgldycwxpp2xoe2yia3fdolqgnpoesykv3erspa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
31168981af16e0fc209774a91e04e5aaf622cacbed12e970b7a35db0705174d6
Formbook
5de06778dd414ee2cc418f089914bb7a656ccf854a30a004d286599cda4c4013
Formbook
6893bbff4695dce3754071670e11d7e7d310ad196b57cdb41cd8c3cd7ea3d8f3
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
9bceb9680d39094087add5289a7e19aa93168faf9c5f2465700b117d59e8d841
Formbook
a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
e8e0f125d909bafae93f469222f2cfbcb30585e03825d8442c8934a92fdd6c89
Formbook
fa3b721595b9e5571bcfd42767aa563f6e363a3fff9e9cdbfb525d0f28e62eb7
Formbook
ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628
Formbook
+ 13'248 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:8gce loader rat
Link:
https://tria.ge/reports/220214-k4fz2ahag5/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
2a1c2225605de7ae1af8249a7c362d9827ecf128cffed42beda8ef7ad407519a
MD5 hash:
f0dc36a13dbab04584af5ee5feb1a629
SHA1 hash:
76f63d855339617265159d851bb884c85758126c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/77cb86ce-9d13-4e81-9a4f-6b1de82c1ede/
Parent samples :
640116c2179899f3ee364b4b549b136ec76c2d6fe08d462c36769b80c136e486
4214037b0098bd2d9c6e65a044a9af6c94c83f00580f40074ce7cdb06da455fe
6c00f2f1868618cf3ccb1e056bbdfabb89ac201b28dcb819af71258557648c9e
2fd3db9eb65d7a120e24e7245a73e4e88d4b2a7998d82986e8b2e2f20af1d932
503afb59d8192f6adb3e67db043eeb6459e8ec3fc117ef8e2f6690d5f0c4a12b
0b7b92e40a75e7c96676e65733f2babfdf0c37529c130619510b2b0b7879a697
54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d
38444024682d6ea391135d374ecd6f457bb01df512801e25fcbd2931afe58d92
SH256 hash:
202f0cda52a87ea21faa56fdc4f747596caec91843f67bddd9076a8c7f8c6edc
MD5 hash:
af3391d60171244389696f69595420a7
SHA1 hash:
bfdc6e92a051dca34af95102612ec11b42deaf75
Link:
https://www.unpac.me/results/77cb86ce-9d13-4e81-9a4f-6b1de82c1ede/
SH256 hash:
f1c92376c4e792e6fada447b1f315cdf6a5bba762971fee647dca94225bfad5e
MD5 hash:
71f950b45045b60276ff9d51eb3751c9
SHA1 hash:
906e0e2ef021282e3887498622d0ed8c4e59c9b2
Link:
https://www.unpac.me/results/77cb86ce-9d13-4e81-9a4f-6b1de82c1ede/
SH256 hash:
3c54114898a4de2b1ff078d06440d80c94dffd3c9adda979a5c18c079158ce50
MD5 hash:
092017b0cd3069d7788676a96a043856
SHA1 hash:
80979c54da6e860cc3294840da3168dbf1d41434
Link:
https://www.unpac.me/results/77cb86ce-9d13-4e81-9a4f-6b1de82c1ede/
SH256 hash:
6c00f2f1868618cf3ccb1e056bbdfabb89ac201b28dcb819af71258557648c9e
MD5 hash:
81d2b37a620fa7eceef3506db6981ea5
SHA1 hash:
9373cfa41a0edcb55badddc4dda46d0a984ac080
Link:
https://www.unpac.me/results/77cb86ce-9d13-4e81-9a4f-6b1de82c1ede/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6c00f2f18686/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/6c00f2f1868618cf3ccb1e056bbdfabb89ac201b28dcb819af71258557648c9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241331/

Comments