MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d1db64be8034306d9b947c25edf28730771762e1df73dc15f4bb2347266f4a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d1db64be8034306d9b947c25edf28730771762e1df73dc15f4bb2347266f4a1
SHA3-384 hash: 18707edd0ae8f1167fe5fdcbbb22a8b7a75f084febaaa6a0a6049e04f788f7e9dcddc5315a68b42430fae2012f2207f4
SHA1 hash: 949fa30b4421a761affb20b40dd78b60205997c7
MD5 hash: 413ab519f50e6709faa369ea11176dd8
humanhash: cat-enemy-east-stairway
File name:Change Vessel Schedule Notice - KTX3-JVA261S.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:384'000 bytes
First seen:2021-10-31 20:16:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:DWrGQPRN9JGGwXjdZC+zqirzPCewGRto+1tZBnrik3b0cG9hTobzHE0HRdbg:yyQrCXjRqiKeqqBrik3DG/KHZRZg
Threatray 11'060 similar samples on MalwareBazaar
TLSH T14F840209AB5D8673C5AE87FD08A74A2453B56A77A923DF0E1EC8B4DD2DB33400D40B67
File icon (PE):PE icon
dhash icon 4d4dcde666b20f27 (9 x AgentTesla, 8 x Loki, 6 x Formbook)
Reporter Racco42
Tags:exe FormBook scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Change Vessel Schedule Notice - KTX3-JVA261S.scr
Verdict:
Malicious activity
Analysis date:
2021-10-31 20:23:22 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/2468fe86-479d-45ce-a760-078fbe6d5fe3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Delayed writing of the file
Creating a window
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/109031e6-dc70-40b3-8073-6c18fa3e1cdc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880051
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512485 Sample: Change Vessel Schedule Noti... Startdate: 31/10/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 10 Change Vessel Schedule Notice - KTX3-JVA261S.exe 3 2->10         started        process3 file4 28 Change Vessel Sche...TX3-JVA261S.exe.log, ASCII 10->28 dropped 54 Injects a PE file into a foreign processes 10->54 14 Change Vessel Schedule Notice - KTX3-JVA261S.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.zhxinniang.com 168.76.79.27, 49852, 80 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 17->30 32 www.refaccioneselprimo.top 158.247.196.199, 80 FEWPBUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 wscript.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d1db64be8034306d9b947c25edf28730771762e1df73dc15f4bb2347266f4a1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 03:14:53 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nuo3ms7ianbqnwnzi7bf5xziomdxc5rodx3t3qk7jozdi4tg6sqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
060c2f164a53cf74817b9b2f176d770dbde8b1ef71fe5322abf9ae8197232b7d
Formbook
19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5
Formbook
37fe8e29a0b03c101b7de698fe335669bd98d2f4afdbe202bca00ceef540bd5d
Formbook
5c175aad872d219fa23de0c83ea085fbdca8d76601167089b4e55ee66d520276
Formbook
88c841869430e07bb9b80e52d61d4f013c6bd8753b06807b411a428f09669c33
Formbook
a3fba91bd7cda8d1f2425dc05210f427c7084e12ea6b3f45b64d6da356f036d1
Formbook
b8dc1db94b5752524bd51980516ac00c095ef291ca89d8096db6cb4b4dab91b6
Formbook
f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032
Formbook
fff77f3852a66a56bad4ec5bc1c1bc2afb0b08b8ea65393384a1ee6917dcb355
Formbook
+ 11'050 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:mc6b loader rat suricata
Link:
https://tria.ge/reports/211031-y2pfaadbhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.orderinformantmailer.site/mc6b/
Unpacked files
SH256 hash:
57f345b6d516489389fffeedc00c642e0d850485b36ea9829e092d3f7cc601e5
MD5 hash:
18d21f966189dc6ac738a0e718106474
SHA1 hash:
007d152fdd6ff727262689be34b2217626eee6d0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/dcfe30f5-c953-4c5c-bf68-796e2af2c5c6/
Parent samples :
6d1db64be8034306d9b947c25edf28730771762e1df73dc15f4bb2347266f4a1
05d5b977ea607673e5be640c0a73fd382e02eeecac8e91ac7e3e36bd334e32d4
fb276f51c615e16f18d29939fd68c876b2edca1351471e3d428fadcb61e97239
b3abc09be3775f75fe01c084e3024371dcf7bba8b91e97d5ecf35862f9812ee2
d1edc3c0253606f0816f85d7eafe573813deb260842945ac31c376cb28d7504b
SH256 hash:
c244aa6ae01dc65dd88ac9fa322daad9eed3dd6b0cc7cd42efebaaf1540e89c6
MD5 hash:
6fdaf9dbbd1af879615be997601c1e59
SHA1 hash:
9218c82eddfc3c319ab5227a6ba5fca365708ad5
Link:
https://www.unpac.me/results/dcfe30f5-c953-4c5c-bf68-796e2af2c5c6/
SH256 hash:
4d1ee061c817ea30ca4e461a4f44388662c1c1c2775be2b323858ddbc1679b35
MD5 hash:
1b6d3d31872537cc611ff4322ffc1099
SHA1 hash:
0108adafb207ce044bfb3f7933da45594c545bee
Link:
https://www.unpac.me/results/dcfe30f5-c953-4c5c-bf68-796e2af2c5c6/
SH256 hash:
6d1db64be8034306d9b947c25edf28730771762e1df73dc15f4bb2347266f4a1
MD5 hash:
413ab519f50e6709faa369ea11176dd8
SHA1 hash:
949fa30b4421a761affb20b40dd78b60205997c7
Link:
https://www.unpac.me/results/dcfe30f5-c953-4c5c-bf68-796e2af2c5c6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6d1db64be803/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/6d1db64be8034306d9b947c25edf28730771762e1df73dc15f4bb2347266f4a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6d1db64be8034306d9b947c25edf28730771762e1df73dc15f4bb2347266f4a1

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments