MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5
SHA3-384 hash: 40ef16374b6902504810a59931cbe65f70cb5ff18b170e1e4a7be49fe6762fe1e47051ba170b9be960eaf21485744f64
SHA1 hash: 5f2225968268a5e443ef5148fd4c457cd679efe1
MD5 hash: e4e70cbe4544ca19c27375301c98f929
humanhash: kilo-summer-arizona-india
File name:e4e70cbe4544ca19c27375301c98f929.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:423'424 bytes
First seen:2021-10-30 06:44:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:LXGqK7sRDR/KRMM2otFi6ZOVSR33THK0G289TVQjeRCpRAIcT1/WOgVEuQ:JIsRDhKRT2koPSRHetDJVQJYWOAEuQ
Threatray 10'992 similar samples on MalwareBazaar
TLSH T16094F0D371B5D616D66907F80C2199D05F78AD204E1DEE4A3FA17B9E0B3236A83036B7
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e4e70cbe4544ca19c27375301c98f929.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-30 07:16:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/37326f9e-0a39-4911-9655-0bedd01aa44f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/506438d6-c87c-4f19-bf0e-b39133a14e24
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879734
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512166 Sample: 2I4791JOUE.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 9 2I4791JOUE.exe 3 2->9         started        process3 file4 27 C:\Users\user\AppData\...\2I4791JOUE.exe.log, ASCII 9->27 dropped 45 Uses netstat to query active network connections and open ports 9->45 47 Tries to detect virtualization through RDTSC time measurements 9->47 49 Injects a PE file into a foreign processes 9->49 13 2I4791JOUE.exe 9->13         started        signatures5 process6 signatures7 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 NETSTAT.EXE 13->16         started        19 explorer.exe 13->19 injected process8 signatures9 29 Self deletion via cmd delete 16->29 31 Modifies the context of a thread in another process (thread injection) 16->31 33 Maps a DLL or memory area into another process 16->33 35 Tries to detect virtualization through RDTSC time measurements 16->35 21 cmd.exe 1 16->21         started        23 msdt.exe 19->23         started        process10 process11 25 conhost.exe 21->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-10-30 06:45:14 UTC
AV detection:
10 of 44 (22.73%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
35a776da3e6d2d8bcd69a7427ab25846c233403372bf3ecb6055c252ae696766
Formbook
39e1002eaf485405155f98f77b331263ab1e6fea26623dd83029f9bcc58d3c9f
Formbook
51d534b716e35b643ac2a4aa73effe9607abfc61a36b7b4a423c9383002b755e
Formbook
6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a
Formbook
73c2ee6d691663df62c983da3572abc381a0940f2cbdfb2ed8d48cb225d7b5f9
Formbook
878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e
Formbook
cc9460866fbf6ae7430f759bc11a90a3536a0032319f20757421a2e08f60faba
Formbook
+ 10'982 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mxwf rat spyware stealer trojan
Link:
https://tria.ge/reports/211030-hh37bsbceq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.zahnimplantatangebotede.com/mxwf/
Unpacked files
SH256 hash:
58a8d91b66a32898bb3b9d29ad32ac91916d3c6ef814bf364c728fa70d068385
MD5 hash:
d4df5abbec423b07def7ab5d036f5dbe
SHA1 hash:
f082f1451a77d793ec3607fe801e4f67086c2977
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/678c7f5a-567b-4247-9643-4cd63936fc1e/
Parent samples :
34ff91c0be47c6edae673081f4814ca9b7432d6db4975ab66a911f36fe481d70
7240d57a675a066d7dcb095a520ec2b86c2460080ccfbc759a9d404dec7d3817
0ea81e325568a6d5c8ecde8ce0198dabe9553e237ef46b328240d7f51231d3bb
878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e
35a776da3e6d2d8bcd69a7427ab25846c233403372bf3ecb6055c252ae696766
cc9460866fbf6ae7430f759bc11a90a3536a0032319f20757421a2e08f60faba
73c2ee6d691663df62c983da3572abc381a0940f2cbdfb2ed8d48cb225d7b5f9
39e1002eaf485405155f98f77b331263ab1e6fea26623dd83029f9bcc58d3c9f
6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a
3f8cd22d1b3b93b4884c70e6a9c032d2d7e2bb341db8ea85d4c86b1d0e5cfaf9
0aa68b819455d1810d114c502d6a221d0da9320d506c31b9e83b7a488f46a954
c27adae0af4b3c5c71d33f4707fc1e0c51cd9ed61f88169014a6022fabc87dc8
70d759be9f935d289ee1627038a118e9493d45ecebfcd477f0b43a8253afffb4
df19a60152fff0338d5ee7d2b969a4dbded6d3f2752ae246090e7e8f79c43815
11dde0ea97b2f63edbd9d6b42af105bff7fad9225396219a6de96cb8d51125d7
924f1664b6169e8237010c409e5f7e492f406154939718ce7a6ebf24cb707e99
a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7
bd7323675e66df34d833d17897c6f98e9848dd062be6f299f482c09a90de4255
759cc43ff9429a9b6e48c20708461b7af39a106efbcb98d541c01d6c44ea9b3f
11c58c805f392c745057848c834966d60da68935cc077206951dbde69585ac6c
c32e7fab7c0e4d5aed13b94b07fcbf1f46106000bb2388301a0a2bcbc920c757
fcd82e581d68847a1f240bcf0123de948a8bde781a05fbbb805d0033bf91ff43
7287808b83f962ac07183a16ed4da5748e84b51946905ce0156c3b3b93ac9240
3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80
e55a6e9d04d90fe3e41ce6b936bc7642dee3e7a804abfc7527ff74ee3062a1ea
41c5b0b2b9afd1f7dc207176e2a200042660dcdb02c745cc750e13f1d3ad7b01
51d534b716e35b643ac2a4aa73effe9607abfc61a36b7b4a423c9383002b755e
ee0d275c50b493cc73f73d19665d9b126e038a7ea1307043eb71442280f6bd7d
2486c4ebc2834ad7e9517107e7d7813fa1b84d5b2df4f928a0144b81d1273e8c
c4b1789371d832969f812bd0a577e380cdac00db6775d7fc251adf8d92c15d74
3cf411dfe4bd60c8bb4c7e0c77d0418c885e65570c7a5b8458d60cdf06423960
81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5
0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2
f0b80a2a51f2e8fa5ceb014b82d25cb1fbf586c85bdd35bf0b0ab165aa7cbc3a
221e9e3719749c7017ad2100a3d48e0ddb47824e02627fe859706fb591332849
eb1a7fdf49ef074c93385c99303fb92155f677f17c17dff1f1ad5967700d6410
SH256 hash:
f18599408ecd86cf64b3bd3ab5c7e0f80538648c5ec7f09c95d126899e76ecf8
MD5 hash:
bbe0ab181f723b02c33984c23975405a
SHA1 hash:
61da284b86b4279d945579a9eca6245b99fff2fa
Link:
https://www.unpac.me/results/678c7f5a-567b-4247-9643-4cd63936fc1e/
SH256 hash:
4d1ee061c817ea30ca4e461a4f44388662c1c1c2775be2b323858ddbc1679b35
MD5 hash:
1b6d3d31872537cc611ff4322ffc1099
SHA1 hash:
0108adafb207ce044bfb3f7933da45594c545bee
Link:
https://www.unpac.me/results/678c7f5a-567b-4247-9643-4cd63936fc1e/
SH256 hash:
81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5
MD5 hash:
e4e70cbe4544ca19c27375301c98f929
SHA1 hash:
5f2225968268a5e443ef5148fd4c457cd679efe1
Link:
https://www.unpac.me/results/678c7f5a-567b-4247-9643-4cd63936fc1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1707272/
  
Delivery method
Distributed via web download

Comments