MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
SHA3-384 hash: dc67d732f6a4c02d859ea093aa886f736aabf80c84d6810ad73b9d06f15a498a82ad13bd932838a872b054cac4ba4e6c
SHA1 hash: d939170a645bbfadf65a5fd6f06bda4ac3be0900
MD5 hash: 3bd6f12e4d6f4ed06a414a6cb100f546
humanhash: muppet-cold-echo-mars
File name:3bd6f12e4d6f4ed06a414a6cb100f546
Download: download sample
Signature Formbook
Create hunting rule
File size:27'648 bytes
First seen:2021-09-21 20:34:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 192:/r/maXg9VVIIffLaVd1fgkuacPHAzmnzmJrR0HA/uvJRBBX5iVECAoVU:/r/maQfVZffGzSkCPHeMKJd0gmX0
Threatray 9'551 similar samples on MalwareBazaar
TLSH T144C24300B7A4CD23F7E10A315E2792891639EE0BDC52AA5FAB5B3F0F7D7110D459AA50
File icon (PE):PE icon
dhash icon 4730d8d4d4d83047 (3 x a310Logger, 2 x Formbook, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3bd6f12e4d6f4ed06a414a6cb100f546
Verdict:
Malicious activity
Analysis date:
2021-09-21 20:37:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24edd7b0-38cc-4707-bb53-9004a1a7f75d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189999/
Detection(s):
SecuriteInfo.com.Variant.Bulz.738879.29030.31436.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d38b5a6-630f-47dd-850d-f070f58cd7c6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855210
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487641 Sample: Peq0Amq9EP Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 52 www.motodevi.com 2->52 54 www.babadebabajiaoshimo11.xyz 2->54 56 6 other IPs or domains 2->56 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 5 other signatures 2->84 11 Peq0Amq9EP.exe 15 6 2->11         started        signatures3 process4 dnsIp5 76 store2.gofile.io 31.14.69.10, 443, 49743 LINKER-ASFR Virgin Islands (BRITISH) 11->76 46 C:\Users\user\AppData\...\Peq0Amq9EP.exe, PE32 11->46 dropped 48 C:\Users\...\Peq0Amq9EP.exe:Zone.Identifier, ASCII 11->48 dropped 50 C:\Users\user\AppData\...\Peq0Amq9EP.exe.log, ASCII 11->50 dropped 15 Peq0Amq9EP.exe 11->15         started        18 powershell.exe 18 11->18         started        21 powershell.exe 18 11->21         started        23 2 other processes 11->23 file6 process7 dnsIp8 96 Multi AV Scanner detection for dropped file 15->96 98 Machine Learning detection for dropped file 15->98 100 Modifies the context of a thread in another process (thread injection) 15->100 102 4 other signatures 15->102 25 explorer.exe 15->25 injected 58 www.twitter.com 18->58 60 twitter.com 18->60 29 conhost.exe 18->29         started        62 www.facebook.com 21->62 64 star-mini.c10r.facebook.com 21->64 31 conhost.exe 21->31         started        66 192.168.2.1 unknown unknown 23->66 68 www.google.com 23->68 33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 dnsIp11 70 www.privatejetsthai.com 185.53.179.92, 49878, 80 TEAMINTERNET-ASDE Germany 25->70 72 ameliasongsforever.com 198.54.114.139, 49880, 80 NAMECHEAP-NETUS United States 25->72 74 15 other IPs or domains 25->74 94 System process connects to network (likely due to code injection or exploit) 25->94 37 cmmon32.exe 25->37         started        40 autofmt.exe 25->40         started        signatures12 process13 signatures14 86 Self deletion via cmd delete 37->86 88 Modifies the context of a thread in another process (thread injection) 37->88 90 Maps a DLL or memory area into another process 37->90 92 Tries to detect virtualization through RDTSC time measurements 37->92 42 cmd.exe 37->42         started        process15 process16 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d/
Threat name:
ByteCode-MSIL.Trojan.KryptikAGen
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 05:12:17 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16f669b8657b76f78a71e28f4b475856eddccfd143f2128275212b338aca8620
Formbook
3803dec5e2ab718dedda091e9ee84b588545614ae3d54aa78d956cec21128fda
Formbook
441a0a46bcdfdee8c8b6761798e75a65204eac43b47547557604f80f26b87e95
Formbook
59ced73cabf35385aaedb67d1b0cd813cc16f5f8e056add78cf50f3abc28351a
Formbook
6acf1bec87a9b06a63ac3be623a527d7c419d17bb8a258b67e2f7cc2c607cc10
Formbook
9998ff1d42d8af0fcc166bea36887eebf182e91d1816853d9f80e6cbbbaf9145
Formbook
ab4676fc90e455da2127126bfbd1fd167328c79eda83f686ef71dd89266825f5
Formbook
bf6ae876108b5fec915d91bd36d3ccd22c8593be29412521c32a4b3f11a757f0
Formbook
c5e2e6ca1132790699601f8a322bf098ecfc4001063a94ba0fb1861e73748fd7
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
+ 9'541 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:qs23 loader rat
Link:
https://tria.ge/reports/210921-zc3gaaafe7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.thanhnguyenedu.com/qs23/
Unpacked files
SH256 hash:
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
MD5 hash:
3bd6f12e4d6f4ed06a414a6cb100f546
SHA1 hash:
d939170a645bbfadf65a5fd6f06bda4ac3be0900
Link:
https://www.unpac.me/results/f68e8582-7116-4591-a011-e27f4039be77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189999/
  
URLhaus
https://urlhaus.abuse.ch/url/1638742/

Comments