MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 712d99f8fa44abad1c6e9395b8236c6a7a1247c767e51721445111a22568742c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 712d99f8fa44abad1c6e9395b8236c6a7a1247c767e51721445111a22568742c
SHA3-384 hash: 2e469bef0387ff4a2751873a85a13590426f3db124a4d872ae8fb58e05a6dcafd5a9fc7cf5756b84c4a860a2574f00f5
SHA1 hash: e67e679c0f9730e02451d13394b06aab55e2b6e0
MD5 hash: 7600223383061fab23f27e42c7cf74c6
humanhash: maryland-utah-helium-princess
File name:Hesabı Onaylayın
Download: download sample
Signature Formbook
Create hunting rule
File size:528'896 bytes
First seen:2022-02-07 10:55:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:gwaVtPLkZky4dlMcVimSVLRfHA2IifosRuTsmah:gwaVtPLkp4dlMcVimEYqoFT
Threatray 14'749 similar samples on MalwareBazaar
TLSH T10BB46B2273D50FB0C9BDB7BE12A4595403F1F0C7A311EB2A7DA602D98A57AC11B7A713
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/234639/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file
Searching for synchronization primitives
Creating a file in the %temp% directory
Moving of the original file
Unauthorized injection to a recently created process
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/6200fac731f00fad9db3fef6/reports/0bec8903-9335-4d0e-bdbb-87c3e49a2ddc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/831cfd30-4185-4cd0-b6bd-be4bb591c301
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935074
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 567552 Sample: Hesab#U0131 Onaylay#U0131n Startdate: 07/02/2022 Architecture: WINDOWS Score: 100 72 www.xn--fiqy4bxlx1tr92f.xn--czru2d 2->72 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 6 other signatures 2->94 10 Hesab#U0131 Onaylay#U0131n.exe 15 4 2->10         started        15 java.exe 2 2->15         started        signatures3 process4 dnsIp5 78 cdn.discordapp.com 162.159.134.233, 443, 49752, 49820 CLOUDFLARENETUS United States 10->78 58 C:\...\Hesab#U0131 Onaylay#U0131n.exe.log, ASCII 10->58 dropped 128 Moves itself to temp directory 10->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->130 17 java.exe 14 4 10->17         started        22 cmd.exe 1 10->22         started        80 162.159.129.233, 443, 49811 CLOUDFLARENETUS United States 15->80 24 AddInProcess32.exe 15->24         started        file6 signatures7 process8 dnsIp9 68 162.159.135.233, 443, 49755 CLOUDFLARENETUS United States 17->68 70 cdn.discordapp.com 17->70 52 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 17->52 dropped 96 Exploit detected, runtime environment starts unknown processes 17->96 98 Exploit detected, runtime environment dropped PE file 17->98 100 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->100 26 cmd.exe 3 17->26         started        102 Uses ping.exe to sleep 22->102 104 Drops PE files to the startup folder 22->104 106 Uses ping.exe to check the status of other devices and networks 22->106 30 reg.exe 1 1 22->30         started        32 PING.EXE 1 22->32         started        35 conhost.exe 22->35         started        108 Modifies the context of a thread in another process (thread injection) 24->108 110 Maps a DLL or memory area into another process 24->110 112 Sample uses process hollowing technique 24->112 114 2 other signatures 24->114 37 explorer.exe 24->37 injected file10 signatures11 process12 dnsIp13 54 C:\Users\user\AppData\Roaming\...\java.exe, PE32 26->54 dropped 56 C:\Users\user\...\java.exe:Zone.Identifier, ASCII 26->56 dropped 122 Uses ping.exe to sleep 26->122 39 java.exe 26->39         started        43 PING.EXE 1 26->43         started        45 conhost.exe 26->45         started        47 PING.EXE 1 26->47         started        124 Creates an undocumented autostart registry key 30->124 60 127.0.0.1 unknown unknown 32->60 62 aireapartmentsmsp.com 15.197.142.173, 49823, 80 TANDEMUS United States 37->62 64 sturgisbrews.com 34.102.136.180, 49826, 80 GOOGLEUS United States 37->64 66 7 other IPs or domains 37->66 126 System process connects to network (likely due to code injection or exploit) 37->126 file14 signatures15 process16 dnsIp17 74 cdn.discordapp.com 39->74 116 Writes to foreign memory regions 39->116 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->118 120 Injects a PE file into a foreign processes 39->120 49 AddInProcess32.exe 39->49         started        76 192.168.2.1 unknown unknown 43->76 signatures18 process19 signatures20 82 Modifies the context of a thread in another process (thread injection) 49->82 84 Maps a DLL or memory area into another process 49->84 86 Sample uses process hollowing technique 49->86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/712d99f8fa44abad1c6e9395b8236c6a7a1247c767e51721445111a22568742c/
Threat name:
ByteCode-MSIL.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 10:56:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
85
AV detection:
12 of 43 (27.91%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c14a21116ea3497be0c08563fc63f52b51b48bbab421face0ef44450cf09128
Formbook
66057851f8f534441fd89a161f2df30610f1c44554a209c67c09fee531f6a680
Formbook
6846492babd6809fcbf6d1a30ebd47db29061bc23237069ff85a86b406b1abb0
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
889a99efe47a7cd2f2ee5797086d76e5811f9502047d9be1c6cbc1dc815c57fe
Formbook
88bdebfec843e9f4ee4687b3a9a3bc80ac9d4890c5bbead14b996e50732b41a6
Formbook
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
Formbook
cfd1a77378decd68cd7a59307b77b93247bdd91e00de5111ecae6b5658c8665f
Formbook
deac58296321ec67026dc3de7275137fbdf1775e28fbd9e4d3bf528be7bc95ff
Formbook
ef799e234fba127a4802668ff58509e2ee986168f86586318cfd9bc3a1b8fa6c
Formbook
+ 14'739 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:g43o loader persistence rat
Link:
https://tria.ge/reports/220207-m1q2yabce6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Modifies WinLogon for persistence
Xloader
Unpacked files
SH256 hash:
712d99f8fa44abad1c6e9395b8236c6a7a1247c767e51721445111a22568742c
MD5 hash:
7600223383061fab23f27e42c7cf74c6
SHA1 hash:
e67e679c0f9730e02451d13394b06aab55e2b6e0
Link:
https://www.unpac.me/results/8daec390-6799-42a9-924a-1bc1481f79bf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/712d99f8fa44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 712d99f8fa44abad1c6e9395b8236c6a7a1247c767e51721445111a22568742c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/234639/

Comments