MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86926685c52fc0eb80f8d256eff2fd0e34b1d4580c5861ec230b90370d68b9fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86926685c52fc0eb80f8d256eff2fd0e34b1d4580c5861ec230b90370d68b9fa
SHA3-384 hash: 06ebe15333bdf258825cfa546a2e5f6437817e0160e53673b50a7300c693fa401932af6f780c2364e8406771c630b370
SHA1 hash: 5e175d1dcf82318aa059d2c0095c6bdd0c810d49
MD5 hash: e2cce68a81438b2ceeea09aadeaddb41
humanhash: early-batman-spaghetti-oven
File name:SecuriteInfo.com.Trojan.GenericKD.36850358.14162.31045
Download: download sample
Signature Formbook
Create hunting rule
File size:868'864 bytes
First seen:2021-05-06 21:50:52 UTC
Last seen:2021-05-06 22:01:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:B1fxhwL8mLAHefRIZtbVqrTwqEZ78RmzG6k9p8TE:jZyJAH/ZtxqEZ780zyp2
Threatray 5'020 similar samples on MalwareBazaar
TLSH 72054AA433E4E6BAC58E4375A5943D3153F18C11DAA9BB46AC8CF9F0AC62FE15B011D3
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://103.125.191.69/ps.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-05 12:32:33 UTC
Tags:
loader
Link:
https://app.any.run/tasks/1b9a87a8-07fc-4108-9465-e9d694aa6f1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151969/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36850358.14162.31045.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/714924
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/86926685c52fc0eb80f8d256eff2fd0e34b1d4580c5861ec230b90370d68b9fa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 02:54:12 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
26c752e870c67846120eefa974dabdb9ee5b0efd3ddcd45f507aeaa638db2572
Formbook
441a0a46bcdfdee8c8b6761798e75a65204eac43b47547557604f80f26b87e95
Formbook
5559ef68403511daf18f8eb339d1f115cf9f75c94b0d5aeb3924d5493a0a086a
Formbook
7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa
Formbook
9998ff1d42d8af0fcc166bea36887eebf182e91d1816853d9f80e6cbbbaf9145
Formbook
a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Formbook
b55552391ee123f26e577b412c0df78bd0a59644ec510d1e7e708feff12a2abb
Formbook
bf6ae876108b5fec915d91bd36d3ccd22c8593be29412521c32a4b3f11a757f0
Formbook
ce5c68aa433096637d43913129f31a9ce61fe4023487f2b90e39a03520da88c3
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
+ 5'010 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210506-3x9nj2r8an/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.montcoimmigrationlawyer.com/uoe8/
Unpacked files
SH256 hash:
645219161d8e455fd7b009a31af489a79785b98712ca7f77027bc10a5049607d
MD5 hash:
c968f452c73771a9a5351821d05cf669
SHA1 hash:
27118f93addf3e3b02cf9cf99e07e97a8c927f42
Link:
https://www.unpac.me/results/cb807853-a417-42e4-9b70-3b4d755df9d9/
SH256 hash:
28daaffb3bd3eb0b7247b4c0a9e27d4eed85459376134d4a44e49e7c934b4bfe
MD5 hash:
09b1ef2bd37a519aa4ef28ddcaf8c41c
SHA1 hash:
8372cd1a60e5e2adcae8972776eabf6025afbe74
Link:
https://www.unpac.me/results/cb807853-a417-42e4-9b70-3b4d755df9d9/
SH256 hash:
e892b0d1683d66d3bddf214763f09da02df2c8ee2948cf1df38643d5782f6f16
MD5 hash:
eead13f056e28484426239234b27caf4
SHA1 hash:
6296e63b720e18812d9402916c63a7082364c459
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb807853-a417-42e4-9b70-3b4d755df9d9/
SH256 hash:
86926685c52fc0eb80f8d256eff2fd0e34b1d4580c5861ec230b90370d68b9fa
MD5 hash:
e2cce68a81438b2ceeea09aadeaddb41
SHA1 hash:
5e175d1dcf82318aa059d2c0095c6bdd0c810d49
Link:
https://www.unpac.me/results/cb807853-a417-42e4-9b70-3b4d755df9d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86926685c52fc0eb80f8d256eff2fd0e34b1d4580c5861ec230b90370d68b9fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 86926685c52fc0eb80f8d256eff2fd0e34b1d4580c5861ec230b90370d68b9fa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1201463/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/151969/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 21:59:32 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program