MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8395de2fb2940f93de9e2058bae551d3631bb5e93b23b396c5042532f0d2de58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8395de2fb2940f93de9e2058bae551d3631bb5e93b23b396c5042532f0d2de58
SHA3-384 hash: 7af03b30da57ead0d6dc30aa851916f201a82e38429a1916a30761481aeb035ac48c916f393021f504a89de51b1affcf
SHA1 hash: b4677d1bec20f1813d24836fe2d66079987e0e9a
MD5 hash: b69dc9fdb93a1b433ff256b1f97e5322
humanhash: high-uncle-bluebird-king
File name:REPORT_USD65371.35.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'341'440 bytes
First seen:2021-07-06 18:56:23 UTC
Last seen:2021-07-06 19:52:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:4dQKI6NGYQw9QXSZIMxWrYCnCLWlqZs5nE:JTaQXiIkinCClqW5
Threatray 6'196 similar samples on MalwareBazaar
TLSH 80553B3D11B19A83C46FCBB46B6DE73E0F522ABAD316D6353824B09E38517E40D62937
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REPORT_USD65371.35.exe
Verdict:
Malicious activity
Analysis date:
2021-07-06 18:59:38 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/465d2133-cae6-43ae-ad59-2f9e5217beb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170065/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.32290.2526.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7daeb484-0dbd-4271-ae61-78dc2c93309d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812520
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444931 Sample: REPORT_USD65371.35.exe Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 4 other signatures 2->42 10 REPORT_USD65371.35.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\REPORT_USD65371.35.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 REPORT_USD65371.35.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.freehypnosisevent.com 81.17.18.194, 49745, 80 PLI-ASCH Switzerland 17->30 32 www.mayartpaints.com 192.155.172.18, 80 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL United States 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8395de2fb2940f93de9e2058bae551d3631bb5e93b23b396c5042532f0d2de58/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 17:26:02 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qok54l5ssqhzhxu6ebmlvzkr2nrrxnpjhmr3hfwfaqstf4gs3zma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25ccba7b1faefe85e035fb10cf4bc3c72096640699e19ec1c024c7332c213b58
Formbook
5bcba2a09d8758ca07490dfcd3859a64b3a0092ed7873a707e73346eefd4235e
Formbook
660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f
Formbook
7531be8656ccc4c8d8cfac7b13b06f3ed9b533274c71f393712ab1c9b81716fc
Formbook
75eef833ff0c8434f8b093e781b54b3d33c0555613ffe75e05fa6c5bec70a77d
Formbook
9001d75f0d0b09af013fc65992e74d4b568d166ca5837f1bf52316173b3f30d2
Formbook
9ecedea13dc027095e79edab82e3988f028dfda3ea5b5469351a52a82a60ff7f
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
f782375e80f3a68b36457886ac1c6490e2497e6c9fb3ffdb33c1679597f0770e
Formbook
fb2b5f7805523f8e675cf06f611c9429e657f4f0af111bf4959627e6183ddc48
Formbook
+ 6'186 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210706-hlygqbqg32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.mobiessence.com/6mam/
Unpacked files
SH256 hash:
4bae2204ca3e11ddfbdee6aaf0f8638fcd078183f356789b7ba3cb02cdb8443f
MD5 hash:
a9c3cc300a924e6ea662936b70a3acd3
SHA1 hash:
23f9b7e9720ed660de2d6fd943489f13e52a8206
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/80b3bfd3-0466-4e20-b17c-93f04902003a/
Parent samples :
8395de2fb2940f93de9e2058bae551d3631bb5e93b23b396c5042532f0d2de58
b875a5e660e0e64042fc182c3739d6916568132cf1cc2f8919abe516ac4cf534
236348545989c7d1816067f0e7bf78c80d4782e2ac28ab6d9ddbb1a2d4f71cc4
3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff
SH256 hash:
7e3f0e6cef7935c77864275860b5494714de8ffe9713a302aeb3a0aa54c9d6a9
MD5 hash:
1abaa945c402e892dd5814563ae04cf3
SHA1 hash:
663cdcd371802553bcf1a7b4198f23fdad9de4b8
Link:
https://www.unpac.me/results/80b3bfd3-0466-4e20-b17c-93f04902003a/
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/80b3bfd3-0466-4e20-b17c-93f04902003a/
SH256 hash:
8395de2fb2940f93de9e2058bae551d3631bb5e93b23b396c5042532f0d2de58
MD5 hash:
b69dc9fdb93a1b433ff256b1f97e5322
SHA1 hash:
b4677d1bec20f1813d24836fe2d66079987e0e9a
Link:
https://www.unpac.me/results/80b3bfd3-0466-4e20-b17c-93f04902003a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/8395de2fb2940f93de9e2058bae551d3631bb5e93b23b396c5042532f0d2de58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8395de2fb2940f93de9e2058bae551d3631bb5e93b23b396c5042532f0d2de58

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/170065/

Comments