MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84fe2a2e7c5228db514d071b4857c0361c07be4de68c26b4fd47d18452217765. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84fe2a2e7c5228db514d071b4857c0361c07be4de68c26b4fd47d18452217765
SHA3-384 hash: 41c58d7e1e3ddd424784b4af4e0ad2c8610b672c3afe1f00c4c1eb33e9fec289be419b4dfa6b69d7f3f615f005e0dfbf
SHA1 hash: 835ffad1cfad92d3ea7617d0e6af58e03c4a78c4
MD5 hash: 3991631960a56d8f41ddb5e2785abed8
humanhash: oklahoma-utah-bacon-missouri
File name:3991631960a56d8f41ddb5e2785abed8
Download: download sample
Signature Formbook
Create hunting rule
File size:1'127'424 bytes
First seen:2021-12-17 16:14:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:jKc2qp0umhUUUUUUUi1BAz/z+AuSK3lLTG727Ctlk/ybHKDQZNEwUUUUUUUUUJnL:uVqp0v1SCDSK3JTE27qlk/uZNA15GG
Threatray 12'598 similar samples on MalwareBazaar
TLSH T1FB35078525AD3B25FD7953F800AA6C94C7BA7D2A717EC68D8CC330D72973F924850A1B
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214858/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61bcb74fa2eae65b861f4402/reports/da111d8b-5a28-4ff8-9e6a-3eefc935b97e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/738375d6-590d-43aa-ad16-f4fe6c20a395
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909194
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 541674 Sample: IdSKRE4TmL Startdate: 17/12/2021 Architecture: WINDOWS Score: 100 31 www.selectpickguards.com 2->31 33 www.lgdljt.com 2->33 35 3 other IPs or domains 2->35 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 9 IdSKRE4TmL.exe 3 2->9         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\IdSKRE4TmL.exe.log, ASCII 9->23 dropped 55 Tries to detect virtualization through RDTSC time measurements 9->55 57 Injects a PE file into a foreign processes 9->57 13 IdSKRE4TmL.exe 9->13         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 16 explorer.exe 13->16 injected process9 dnsIp10 25 www.yinmi.xyz 16->25 27 www.a2zhandymanservices.com 217.160.0.176, 49789, 80 ONEANDONE-ASBrauerstrasse48DE Germany 16->27 29 11 other IPs or domains 16->29 37 System process connects to network (likely due to code injection or exploit) 16->37 39 Performs DNS queries to domains with low reputation 16->39 20 cscript.exe 16->20         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/84fe2a2e7c5228db514d071b4857c0361c07be4de68c26b4fd47d18452217765/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 08:48:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
74
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1bbc8a34b7590c1593c5a79a8d0f93b17a162f44893c37aa11e4cb9e0e2d96bf
Formbook
67e2366e87044cbdeefa32770db63e9592c7e637d4c62c678f894eeba419bd26
Formbook
6fafca0825dbdedf739d4f57ea1b09563eed9834a54f2998b712891baeef4839
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
b7b66b6a4f361469fabac82e4802b30059229fae232e46ef887c3f8a32828f2b
Formbook
b830b088dcc04db74fc8afbb16dcfff0134c405228be44df5d996a9a5b254bff
Formbook
d544f115e860d3282bd996d7b12ac92c10097d68d135667cca0f847ca754f8ef
Formbook
e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01
Formbook
efaa4527b761b2acb19d40051d303867ce0798ea1e32cf72b4408898d01b463b
Formbook
+ 12'588 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:g64e loader rat
Link:
https://tria.ge/reports/211217-tpps3aefcr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/6fe8809e-f0e3-4ba5-8593-608cb6a405cd/
SH256 hash:
d77932ddc0914f4f8c7658e9b9177eb9bba234fd43db73e610459de5d17df828
MD5 hash:
4f57f811e79df6a521e6e943880f787c
SHA1 hash:
f1788ff498728ebaf077570029caa675f7c6daf7
Link:
https://www.unpac.me/results/6fe8809e-f0e3-4ba5-8593-608cb6a405cd/
SH256 hash:
7f93902467f17d71e76dcf7c9926bb6ee3830eafb33e54f2796b102e5a5c1680
MD5 hash:
f06b2c47b09e866576f16c0ffb86f5ec
SHA1 hash:
16c85fd768f6d541862610519bf619681fcad100
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6fe8809e-f0e3-4ba5-8593-608cb6a405cd/
SH256 hash:
84fe2a2e7c5228db514d071b4857c0361c07be4de68c26b4fd47d18452217765
MD5 hash:
3991631960a56d8f41ddb5e2785abed8
SHA1 hash:
835ffad1cfad92d3ea7617d0e6af58e03c4a78c4
Link:
https://www.unpac.me/results/6fe8809e-f0e3-4ba5-8593-608cb6a405cd/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/84fe2a2e7c52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/84fe2a2e7c5228db514d071b4857c0361c07be4de68c26b4fd47d18452217765

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 84fe2a2e7c5228db514d071b4857c0361c07be4de68c26b4fd47d18452217765

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214858/
  
URLhaus
https://urlhaus.abuse.ch/url/1893558/

Comments


Avatar
zbet commented on 2021-12-17 16:14:05 UTC

url : hxxp://paxz.tk/izuzx.exe