MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c77bf1abcd2822284197e71fe278ff2ff98fd98075e373500b29521f91e515f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c77bf1abcd2822284197e71fe278ff2ff98fd98075e373500b29521f91e515f
SHA3-384 hash: 24949496497c953a6d8af67f31fc468b1c365f90a04d7cc45e5a78e11d5f4f66191d48df0e15feb66d632cef21b495d8
SHA1 hash: 5255ffa15f73e584f7d0a72538b919d8294e1bc8
MD5 hash: f8e0a31f592449d87fae8e9b76fac8d2
humanhash: kentucky-early-happy-violet
File name:sample photo.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:554'496 bytes
First seen:2021-11-24 14:43:35 UTC
Last seen:2021-11-24 16:48:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:WtD00KzIrw+KEV2qV5gZH6Nr11Jhi2eDbY5Cz:WC0ErZ9Kt8DbY5Cz
Threatray 8'623 similar samples on MalwareBazaar
TLSH T17BC4019933A9A793DC395FF10D3290C013B271197815EA2E6CC971CE2E32B465726BB7
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sample photo.exe
Verdict:
Malicious activity
Analysis date:
2021-11-24 14:53:46 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/43a9c72d-2772-404b-bfb8-e22107adf064

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.11065.843.13859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619e4fb7f36138de3f39eeee/reports/4c6356f5-7c1b-4823-8fe9-72e7a21c5035/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc2b4c77-e8c5-47e3-8043-c4ce9fdc6152
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/895475
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527950 Sample: sample photo.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 96 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AntiVM3 2->36 38 8 other signatures 2->38 7 sample photo.exe 6 2->7         started        process3 file4 24 C:\Users\user\AppData\...\ClOdGCqNwUHACD.exe, PE32 7->24 dropped 26 C:\...\ClOdGCqNwUHACD.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmpD6CC.tmp, XML 7->28 dropped 40 Adds a directory exclusion to Windows Defender 7->40 11 powershell.exe 24 7->11         started        14 powershell.exe 24 7->14         started        16 schtasks.exe 1 7->16         started        signatures5 process6 dnsIp7 30 192.168.2.1 unknown unknown 11->30 18 conhost.exe 11->18         started        20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        process8
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c77bf1abcd2822284197e71fe278ff2ff98fd98075e373500b29521f91e515f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 14:44:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nr336gv42kbcfbazpzy74j4p6l7zr7mya5pdoniawkksd6i6kfpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3a4677dc6f14f38983af15458b11d5f92e71dea8d5cd0e5b263c50d211a72621
Formbook
6c60876d91087cbd176ff5419577f2b3315b2d3a9d9c6d11a06b95ea10d5311f
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3
Formbook
c36c4e9b60d516ae00051b635624267123056adbbd874b7b9f67920dcb71aada
Formbook
c50fdcefdf51c648404eb54eebcb81012e2c736252e232759c7eef5fac1d5174
Formbook
c8352baa0192f9bdbf7b0d47d76f9b592ba602ea001fdc21e281899eb3209a6c
Formbook
fa73563a8ccbea57411fb4b9a5c713c1be3771e7c765a0b8e1100d0f4584c634
Formbook
faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd
Formbook
+ 8'613 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:c46r loader rat
Link:
https://tria.ge/reports/211124-r36ydsgbc4/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.ashleasellshomes.com/c46r/
Unpacked files
SH256 hash:
8344bb71cb013fb4c5de210fcea5e333d013c378e4331c462a53b65342b91ee4
MD5 hash:
bf407aa4da19380b0cc6ccb1b40259ef
SHA1 hash:
ce6192cce6d8347bd46923716262f382eb2448e9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d0026753-5ce2-4a3b-a3a8-a02d8a3082db/
Parent samples :
faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd
3546415efa309d5e90ca0be71d031ac458c6ca4c61ccfa221a07473d0baca386
6c77bf1abcd2822284197e71fe278ff2ff98fd98075e373500b29521f91e515f
SH256 hash:
48d7760ddb4000f2defd091eaabf1ea181dd536a55316274a59a0bbff827d5b1
MD5 hash:
4260463b2bd49a68791133686a557484
SHA1 hash:
0f7f9b2fc318e6db47180b952f4472d5f61fc81c
Link:
https://www.unpac.me/results/d0026753-5ce2-4a3b-a3a8-a02d8a3082db/
SH256 hash:
6c310cf674c43f9a2d9f1c7a575dee115db8ab11fb05328a9a30d28d7154cab7
MD5 hash:
359b315f025ad6a49062559c6fbf490c
SHA1 hash:
b6658763861243e683fcce05599d238ec533e0a5
Link:
https://www.unpac.me/results/d0026753-5ce2-4a3b-a3a8-a02d8a3082db/
SH256 hash:
302ac54c94e8bdb12b7fdaeef76e2b936e0294ea5b1ced38c6da51ef50c3067e
MD5 hash:
d1a58ca8f82c480763bfa3205e80b770
SHA1 hash:
7b23287d165b2dae07ead2625bd4e1e525d27a1b
Link:
https://www.unpac.me/results/d0026753-5ce2-4a3b-a3a8-a02d8a3082db/
SH256 hash:
6c77bf1abcd2822284197e71fe278ff2ff98fd98075e373500b29521f91e515f
MD5 hash:
f8e0a31f592449d87fae8e9b76fac8d2
SHA1 hash:
5255ffa15f73e584f7d0a72538b919d8294e1bc8
Link:
https://www.unpac.me/results/d0026753-5ce2-4a3b-a3a8-a02d8a3082db/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6c77bf1abcd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c77bf1abcd2822284197e71fe278ff2ff98fd98075e373500b29521f91e515f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6c77bf1abcd2822284197e71fe278ff2ff98fd98075e373500b29521f91e515f

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/209016/

Comments