MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eee4427f95eee176f7b71c9af116801d55fd7c3057f57320d1dab15369fecd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eee4427f95eee176f7b71c9af116801d55fd7c3057f57320d1dab15369fecd4
SHA3-384 hash: 9a4439325e4b24883e2a2dff4aae4597c746bec7c1c5b5157034a138cfd9d7da368b202341203b62e2eafc41017ff2ed
SHA1 hash: 79f4b06e3f4a45edd08f961e096d6db9ecff95d6
MD5 hash: 3c4f2b63a3311c60d04643cb6d306e94
humanhash: rugby-lithium-maine-enemy
File name:IMG-XEROX.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:23'040 bytes
First seen:2021-10-12 15:16:50 UTC
Last seen:2021-10-12 15:54:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:qMI0mBJUoOc3qR5WuDhO4+I9y/CMzqTLwzfWntw+synvM:qD4cXfb
Threatray 13'512 similar samples on MalwareBazaar
TLSH T1A1A25132BFD80D52C8F74A3B1CC1BD345D36B9CE96918ABF6984E23E7F501A40968761
File icon (PE):PE icon
dhash icon f0b07090cb6468e2 (5 x AgentTesla, 4 x NanoCore, 3 x BitRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG-XEROX.scr
Verdict:
Suspicious activity
Analysis date:
2021-10-12 15:21:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5a305e1b-b64c-4896-8ddd-f340d7f41d4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196972/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FVA.genEldorado.26588.23125.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a service
Creating a window
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6165a6f0fd35fe780c3ae399/reports/4234a7c7-9f3f-4cf0-8f21-ca9652d965ab/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4ae62f3-4751-43e7-93a9-d1b7eba72410
Result
Threat name:
BitRAT FormBook Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868806
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected BitRAT
Yara detected FormBook
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 501231 Sample: IMG-XEROX.scr Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 48 jegebit.duckdns.org 2->48 50 www.ntntntnt.com 2->50 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 11 other signatures 2->68 12 IMG-XEROX.exe 19 10 2->12         started        signatures3 process4 dnsIp5 56 store2.gofile.io 31.14.69.10, 443, 49763, 49818 LINKER-ASFR Virgin Islands (BRITISH) 12->56 40 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32 12->40 dropped 42 C:\Users\...\Lmhsaujlkftorymcgcgihthbin.exe, PE32 12->42 dropped 44 C:\Users\user\AppData\Local\...\IMG-XEROX.exe, PE32 12->44 dropped 46 4 other malicious files 12->46 dropped 92 Writes to foreign memory regions 12->92 94 Allocates memory in foreign processes 12->94 96 Injects a PE file into a foreign processes 12->96 17 wscript.exe 1 12->17         started        19 IMG-XEROX.exe 1 4 12->19         started        file6 signatures7 process8 dnsIp9 23 Lmhsaujlkftorymcgcgihthbin.exe 17->23         started        52 jegebit.duckdns.org 2.56.59.21, 43360, 49812, 49814 GBTCLOUDUS Netherlands 19->52 54 192.168.2.1 unknown unknown 19->54 70 Multi AV Scanner detection for dropped file 19->70 72 Machine Learning detection for dropped file 19->72 74 Hides threads from debuggers 19->74 76 Contains functionality to hide a thread from the debugger 19->76 signatures10 process11 signatures12 78 Antivirus detection for dropped file 23->78 80 Multi AV Scanner detection for dropped file 23->80 82 Machine Learning detection for dropped file 23->82 84 5 other signatures 23->84 26 explorer.exe 2 23->26 injected process13 process14 28 explorer.exe 26->28         started        31 chrome.exe 14 2 26->31         started        34 chrome.exe 2 26->34         started        dnsIp15 86 Modifies the context of a thread in another process (thread injection) 28->86 88 Maps a DLL or memory area into another process 28->88 90 Tries to detect virtualization through RDTSC time measurements 28->90 36 cmd.exe 28->36         started        58 store2.gofile.io 31->58 60 store2.gofile.io 34->60 signatures16 process17 process18 38 conhost.exe 36->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eee4427f95eee176f7b71c9af116801d55fd7c3057f57320d1dab15369fecd4/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 15:17:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3xeij7zl3xbo333ohe26eliahkv7v6dav7vomqndwvrknu75tka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2eb844b531f53a22bd20a919fda7cb483283c2e0cfc9968bca6b0c8792be580c
Formbook
3046d29324f18d00e2603aa26674aa29e9cc9ff3e110fb51e23204ff06e36f70
Formbook
5c6bb4be3e5abfc077f779645b07502ad3f9357fa3c486db79d0a2fb4f470527
Formbook
bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6
Formbook
d5a3b850dc0e753c98a4ff8d4fdf8c8cdd58b0e134e741db5a34b47e7accf0cc
Formbook
f6744dd0f12c44cc62ab5c2b58e0c2877d3935d8e1205f39bc540e3a58a88bc1
Formbook
+ 13'502 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xloader family:xmrig campaign:tows loader miner persistence rat suricata trojan upx
Link:
https://tria.ge/reports/211012-sn192acebk/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
UPX packed file
XMRig Miner Payload
Xloader Payload
BitRAT
BitRAT Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
xmrig
Malware Config
C2 Extraction:
http://www.steadycycling.com/tows/
Unpacked files
SH256 hash:
6eee4427f95eee176f7b71c9af116801d55fd7c3057f57320d1dab15369fecd4
MD5 hash:
3c4f2b63a3311c60d04643cb6d306e94
SHA1 hash:
79f4b06e3f4a45edd08f961e096d6db9ecff95d6
Link:
https://www.unpac.me/results/3f69ff0b-5143-4fe6-aac0-488a37eb6c39/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6eee4427f95e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6eee4427f95eee176f7b71c9af116801d55fd7c3057f57320d1dab15369fecd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6eee4427f95eee176f7b71c9af116801d55fd7c3057f57320d1dab15369fecd4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/196972/

Comments