MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
SHA3-384 hash: ec3883f9ddbe5e0b4ba914d50d1fc8d445530b744cca4db3a4b12dee06f19304e5523ec2d11c768c80bee24a5c8dee83
SHA1 hash: 2c39f2a6df2770fbe890ea094a501fe55f4b7976
MD5 hash: 8d029a307dd67443a5a437b447c323ab
humanhash: tennessee-jersey-alaska-shade
File name:La lista de carga.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:827'904 bytes
First seen:2021-09-21 06:28:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:25MTdtGGtpsmtiK5oyZ3VkwZLVxTwnKBgtlWAh8FCEDpYStqcqvt:hM+FoqFZXYrH8FC6ztbCt
Threatray 9'444 similar samples on MalwareBazaar
TLSH T1A305ADC17D47D89BF4DF6AB398AFC42011646E8D9161C73D2682BA2B55F3312309BE4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter abuse_ch
Tags:ESP exe FormBook geo

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
La lista de carga.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 06:32:14 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/1fcd14a5-8edc-465a-89b3-26a9bf9f53ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189661/
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1449b1f-40db-426b-a0e3-fad7d34fc05a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854595
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487027 Sample: La lista de carga.exe Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 11 other signatures 2->50 10 La lista de carga.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\Roaming\WXvJoPe.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\tmp7D1F.tmp, XML 10->34 dropped 36 C:\Users\user\...\La lista de carga.exe.log, ASCII 10->36 dropped 60 Writes to foreign memory regions 10->60 62 Injects a PE file into a foreign processes 10->62 14 RegSvcs.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 2 other signatures 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 38 www.artemojo.com 74.220.199.6, 49833, 80 UNIFIEDLAYER-AS-1US United States 19->38 40 www.thefanlounge.com 205.178.189.129, 49832, 80 DEFENSE-NETUS United States 19->40 42 www.smoothcontract.com 52.58.78.16, 49838, 80 AMAZON-02US United States 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 25 rundll32.exe 19->25         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 25->54 56 Maps a DLL or memory area into another process 25->56 58 Tries to detect virtualization through RDTSC time measurements 25->58 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 01:19:20 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqhilocpfmo73nmaufudq2wzd37h642am37tueva2nm7zndrdxfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
35880c5210af5dca3edc22a693ab5f0cfcec0105cec988d930ab29fe09bd3461
Formbook
4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee
Formbook
534d8b4992d534bc90055bab8ad3f479f29d613d573a42cf7e136dd84153b48b
Formbook
5a153e3107280c9674c3dbfb90c1d328a1d067b87beee49a169e5a10273065f5
Formbook
6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd
Formbook
9b7fd781016675bd73b0acc7e402bbdcf4dfa3e3df4a5dd7d7c9c850bc2d85e8
Formbook
a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83
Formbook
d2d6a8c31acdd92eb9a005e2fac8838a382ab0425fc01bc88616bda185ab7b4c
Formbook
d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
Formbook
fc2480dee0caf0759cb11b01bea00a2588a48267c65ea4e81c66ba2a350fc177
Formbook
+ 9'434 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cb3b rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210921-g8x8bsbcbr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.thefanlounge.com/cb3b/
Unpacked files
SH256 hash:
c6e68d6acf81aa9ae9ed2dfbc1362c274b5812c1fcf3b9444ce56021725f39ac
MD5 hash:
9656d6ce415ca2665017e14a6949fc82
SHA1 hash:
995032fdaa1938378423a6f1d98f3ad8e12c3092
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1aa01953-9b61-4183-9fb2-445c8e50b859/
Parent samples :
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
afb0dcb294330abe26a2e2611f36441607a878844a251bea8be3e9407e238ad8
ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
ba1dc7d4d7eb9f21c8be72fbc9f0bb247806cbcebe96a4c00a68ebf071471ad2
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/1aa01953-9b61-4183-9fb2-445c8e50b859/
SH256 hash:
02c850517aa97186611e08ca8197c45d9ffce6590f902167bce3cb68f3287998
MD5 hash:
9955ba02c3dd8a9625af4b8400f3a7fe
SHA1 hash:
970bf20092354a84ccceb807cd963eb1d8db9e99
Link:
https://www.unpac.me/results/1aa01953-9b61-4183-9fb2-445c8e50b859/
SH256 hash:
169a5594f015e1e946e3279c1062231f8ef5227de53976357d0dd120f0535928
MD5 hash:
850eea642fb6210ce81f4a789cd48eb8
SHA1 hash:
323258902e310aa0b31999f9d4916b45501368ec
Link:
https://www.unpac.me/results/1aa01953-9b61-4183-9fb2-445c8e50b859/
SH256 hash:
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
MD5 hash:
8d029a307dd67443a5a437b447c323ab
SHA1 hash:
2c39f2a6df2770fbe890ea094a501fe55f4b7976
Link:
https://www.unpac.me/results/1aa01953-9b61-4183-9fb2-445c8e50b859/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189661/

Comments