MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
SHA3-384 hash: 03ec87ff0f1b8903fb485744fa2dd23f5cf31c3e4d14d448d684df006a1eb2901d721065190089b47bb94c2d254a54cd
SHA1 hash: f133af048ec00ba594537e90388a95424cea0d12
MD5 hash: 5240551a6bd4373c61988e730196432a
humanhash: winter-lamp-north-queen
File name:94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
Download: download sample
Signature Formbook
Create hunting rule
File size:1'032'192 bytes
First seen:2023-01-05 14:33:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Wcr2iNdLByqzNMPIulTYvgSOVvywbzkxSUuCBrcWmrOOZT/e8hucAojSgURVrDJT:tr1DLBIQGmFIjz3YNmSOVe8hc
Threatray 21'723 similar samples on MalwareBazaar
TLSH T10825082F4EC755C4EE3747F472469BB83DA27F81A8615C096CA0F03201BD53AAB3E965
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6b4b346153455121 (9 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
Verdict:
Malicious activity
Analysis date:
2023-01-05 14:34:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/981cb768-8c44-4213-94bb-9eac79c6361b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349706/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63b6dfdb0fdf1633326d5d43/reports/aa8e7167-2226-40cb-96a1-40160c233fec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/266d6940-f696-447d-80ea-ce6fe9ca8483
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145707
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 778441 Sample: SjCm455tdg.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 58 www.72287a.xyz 2->58 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 9 other signatures 2->78 11 SjCm455tdg.exe 7 2->11         started        15 EyjmvOQNStEB.exe 5 2->15         started        signatures3 process4 dnsIp5 50 C:\Users\user\AppData\...yjmvOQNStEB.exe, PE32 11->50 dropped 52 C:\Users\...yjmvOQNStEB.exe:Zone.Identifier, ASCII 11->52 dropped 54 C:\Users\user\AppData\Local\...\tmp7332.tmp, XML 11->54 dropped 56 C:\Users\user\AppData\...\SjCm455tdg.exe.log, ASCII 11->56 dropped 86 Uses schtasks.exe or at.exe to add and modify task schedules 11->86 88 Adds a directory exclusion to Windows Defender 11->88 90 Tries to detect virtualization through RDTSC time measurements 11->90 18 SjCm455tdg.exe 11->18         started        21 powershell.exe 21 11->21         started        23 schtasks.exe 1 11->23         started        62 192.168.2.1 unknown unknown 15->62 92 Multi AV Scanner detection for dropped file 15->92 94 Machine Learning detection for dropped file 15->94 96 Injects a PE file into a foreign processes 15->96 25 EyjmvOQNStEB.exe 15->25         started        27 schtasks.exe 1 15->27         started        file6 signatures7 process8 signatures9 64 Modifies the context of a thread in another process (thread injection) 18->64 66 Maps a DLL or memory area into another process 18->66 68 Sample uses process hollowing technique 18->68 70 Queues an APC in another process (thread injection) 18->70 29 explorer.exe 18->29 injected 33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 27->37         started        process10 dnsIp11 60 www.seemsr.com 188.114.96.3, 49685, 80 CLOUDFLARENETUS European Union 29->60 98 System process connects to network (likely due to code injection or exploit) 29->98 39 systray.exe 29->39         started        42 cmmon32.exe 29->42         started        44 autofmt.exe 29->44         started        signatures12 process13 signatures14 80 Modifies the context of a thread in another process (thread injection) 39->80 82 Maps a DLL or memory area into another process 39->82 84 Tries to detect virtualization through RDTSC time measurements 39->84 46 cmd.exe 1 39->46         started        process15 process16 48 conhost.exe 46->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-12-10 00:59:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sskq53gqjm43nnpj46puap7y2vat77m5qf3nrlynybmymk3sbtyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
Formbook
3a6e455b7bf9570c22e255b87a0929af15322ffcb1936a41f782e4f52fd1de6b
Formbook
40f511e420e73d2cb620d782e9ed31dbd1dabe4103b31e025a4158d39a209a5e
Formbook
556db57800de1a678ad62a5d6c85e2de783f3965429679a5c0f584ca3bc483ed
Formbook
59d3d0d82273ee3a78483d3508a8247593a06826f8531de8ca072718e6609598
Formbook
60f594736fc96f0657680d022bd9b9117a4a7d08c1e80812b29d64fa69f814a3
Formbook
9d6d28627c34f8d225dde0a78d27418d461ea3a35e6bc4afa0f50e9cb8bc1b21
Formbook
bf7e149d1f9261676dcfd400ee235372b01f64302efc5be2eb053308e1203d73
Formbook
cdf5c57b42c0d59cf1d683dd2e1999a2bc874fda7c521b25af910f80fd012691
Formbook
ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5
Formbook
+ 21'713 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ci07 rat spyware stealer trojan
Link:
https://tria.ge/reports/230105-rxexqacc99/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1760fceb-efd1-448e-9d7e-03280de9b6a3
Unpacked files
SH256 hash:
df140d439eac7c6b3d92b93f099289a3c5aab8bb2700f76e96fe3cf1a5896c56
MD5 hash:
344610dcf21c8e20223b966898b761fe
SHA1 hash:
d4f36442fd63c9dbb8d70b6bf3f6dc06d2f6dfd5
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cd4484da-1070-4552-b32c-45fda01de977/
Parent samples :
901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53
794ff32dcb5a26819bea2fa85f82ee36dae53a5d6a6d2e42790801bfb018cda7
8cde8e6a8021c1d4d221179126d6fdd2a2a20a2b24f57fc20202f86640350f96
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354
9d6d28627c34f8d225dde0a78d27418d461ea3a35e6bc4afa0f50e9cb8bc1b21
94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
8ac5dceeed786e06a01cec7ce9d550a0f48c50511ad81db887c69fd5d720ff3e
a78e65c599449ae8f781711a5b432c95fd1c7ebbb4bb1c9353087e79b62f6489
59fe1ecfcc9a304108971209bdd1656f033bf0ef51744babf253394d58b10bbc
f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518
SH256 hash:
a53e1fd6eb34fe2a446b6b6a87be1b0a74ced5c393bfea3037802471f02f7f89
MD5 hash:
81d048fcd1d5a96422b1e9c7cb3f93e2
SHA1 hash:
ea510239075b26492a5ac7b451a130c347a807be
Link:
https://www.unpac.me/results/cd4484da-1070-4552-b32c-45fda01de977/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/cd4484da-1070-4552-b32c-45fda01de977/
SH256 hash:
6e5661fc00587e7caa24fa24461c6abde28dcb2a96701cc5fd7ae7ecb9246e4f
MD5 hash:
c60af3b7e2abd6c83fbab7323fccb900
SHA1 hash:
8ea4670a296f841e9eac5294133e88914438b600
Link:
https://www.unpac.me/results/cd4484da-1070-4552-b32c-45fda01de977/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/cd4484da-1070-4552-b32c-45fda01de977/
SH256 hash:
94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
MD5 hash:
5240551a6bd4373c61988e730196432a
SHA1 hash:
f133af048ec00ba594537e90388a95424cea0d12
Link:
https://www.unpac.me/results/cd4484da-1070-4552-b32c-45fda01de977/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94950eecd04b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349706/

Comments