MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ea35bc5cdf67eaabcce3fcd75f571a64af9c0b5d739f6fc466db66c79a4aaf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ea35bc5cdf67eaabcce3fcd75f571a64af9c0b5d739f6fc466db66c79a4aaf5
SHA3-384 hash: 351ca5157983e3e24d4b7ecae4e58731b65342297de7353fd8ba880bee526e4070398a584a880ae47335fa46a4aa7e5a
SHA1 hash: b5e3c69ae42957ab34c466cf48f38bdf5f59ea9c
MD5 hash: 1e79a9b3d641d600efd2e0ac4e5d1726
humanhash: paris-sweet-carpet-kitten
File name:1e79a9b3d641d600efd2e0ac4e5d1726.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:470'016 bytes
First seen:2021-09-04 09:51:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wp3hl4RVGqcJRiePklLVxzf0yDhv2VjwTeYq1DLHza:wV+MqcS4klpZ3
Threatray 8'921 similar samples on MalwareBazaar
TLSH T188A4D09D765076EFC967C872C9642C64EA60B47B530BD347A05312ACEE0E6ABCF114F2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1e79a9b3d641d600efd2e0ac4e5d1726.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-04 09:52:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/347b30d2-f175-453e-8d44-57be6f1a29a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185279/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1018.10266.19116.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdfeabd3-c4c4-4b5e-9a79-074fecbd4a98
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845216
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477643 Sample: SyS80V1RrK.exe Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 31 www.thememorymapco.com 2->31 33 thememorymapco.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 7 other signatures 2->47 11 SyS80V1RrK.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\SyS80V1RrK.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 SyS80V1RrK.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.sheffieldfinancoal.com 47.91.170.222, 49721, 49726, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 18->35 37 www.roseannepark.com 18.215.128.143, 49723, 80 AMAZON-AESUS United States 18->37 39 8 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ea35bc5cdf67eaabcce3fcd75f571a64af9c0b5d739f6fc466db66c79a4aaf5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 14:27:58 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
006dcd5baa67723c1d34336ca9d3eb55eb53cdb58999a8c6a3a64b28c2848220
Formbook
1ab52bac5850518b5e948ea170b9d5b9f7e2aca962e4ed99d171085cdf970e19
Formbook
1ccdc34a2258984fb0df40dd979f71d4c11bce12cb6e840e90fbd9281254ade6
Formbook
3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632
Formbook
69be518fd3748193be11e41acb1fb3e674b6c3f898193dec0c595bf450b19cf8
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
aa600ea695abd3d2d6d445c6d2b07d3944cfbbf77f0850411ac426d9d6c037c2
Formbook
dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609
Formbook
ed6b9ae0e3a62d8c24788b8d5b9ffcb9317861746bfc7864777db86369a3def4
Formbook
f4ceea0a1881800f657906368b21c25ebee2c6ac3c7ae210548b1dea0ccd420c
Formbook
+ 8'911 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:j4qs loader rat
Link:
https://tria.ge/reports/210904-lv4keahcck/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.harjotsinghnarula.com/j4qs/
Unpacked files
SH256 hash:
142a1ca91ac26e4789ffb09fb174bf42161ccf1ed583e5d9dbf12f587db96204
MD5 hash:
938b3428ac533a9ae6c1291f15c5e910
SHA1 hash:
c6da945c10f4215d3fe79c49d1b1b079111999c8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/dd552d3b-29ba-4dc1-8f86-a389ee6fce53/
SH256 hash:
7c3edb5f68e646d465f01986fad2adfb4fedf7f4b83235258ec36a66c275dcbb
MD5 hash:
117951f24c69a2f1dab7f720a96e0d61
SHA1 hash:
6345f27437a6395bb792b56b38cd5f587e552d90
Link:
https://www.unpac.me/results/dd552d3b-29ba-4dc1-8f86-a389ee6fce53/
SH256 hash:
089e6b9cea4a6396a80816ac76c6c48b20ef774d4ad9442663c473ca1db43ca1
MD5 hash:
e23b2a604164bc6cc9ae6ce96d3d2572
SHA1 hash:
40edbc2c30ed312ae9bb86937af6b2bb8c3af281
Link:
https://www.unpac.me/results/dd552d3b-29ba-4dc1-8f86-a389ee6fce53/
SH256 hash:
7ea35bc5cdf67eaabcce3fcd75f571a64af9c0b5d739f6fc466db66c79a4aaf5
MD5 hash:
1e79a9b3d641d600efd2e0ac4e5d1726
SHA1 hash:
b5e3c69ae42957ab34c466cf48f38bdf5f59ea9c
Link:
https://www.unpac.me/results/dd552d3b-29ba-4dc1-8f86-a389ee6fce53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/7ea35bc5cdf67eaabcce3fcd75f571a64af9c0b5d739f6fc466db66c79a4aaf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7ea35bc5cdf67eaabcce3fcd75f571a64af9c0b5d739f6fc466db66c79a4aaf5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1586158/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185279/

Comments