MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3
SHA3-384 hash:	a7bd3430ac1a56727c7a234e5eb8c1aa9a4de68a3620b43f84b330c7019cccc59d0e1b4733871adde6f958cf05095a46
SHA1 hash:	378492a828f10eeeee84fab591f9124d2da4dda8
MD5 hash:	9fcb723c209d94bce4bba9329f2afc67
humanhash:	spring-island-east-finch
File name:	SecuriteInfo.com.Trojan.Inject4.19817.13045.32260
Download:	download sample
Signature	Formbook Create hunting rule
File size:	836'096 bytes
First seen:	2021-11-17 10:01:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:rS8QhCcfZ/2YpBzFn9oJ2LOmC4Y0NM56pYFjI4S2zG9+aw9cNq0p2W:fk/2YpBV2J2LK/s624jZqN
Threatray	8'590 similar samples on MalwareBazaar
TLSH	T19805F12137795F13C5BD83F48126814407F2766962ABEB1E6CC3B4DB7E62B518B86E03
File icon (PE):
dhash icon	c8c4e2f934dc2e16 (10 x Loki, 6 x Formbook, 6 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/206752/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.19817.13045.32260.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6194d31d4912a8c920a13dc6/reports/32482440-1287-4904-93c3-44d9f3e89aa5/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1d2b328a-a815-4ed7-80f6-7ae32c866b25

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/891052

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicius Add Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-17 09:53:23 UTC

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s3vtmjbfrg32mslx52us4daigtsteg3al6ndayiqhggu3jbi6pjq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3f383c683795d277510e0fb4c806ae17bfb33dd6ff875b66c159068e58c28818

Formbook

4b9ec9143ae2471c8cf540f5e3815c4ca4bb5e073d5c45e6bd934cc0350e8546

Formbook

57245d791290c103ec19da5f45132f22cea4f65f7d4302acd6e0948ddc7cdf76

Formbook

8db032a108bfbc9b5d4d2be6f466add20a81685196253867b99e6456e02adadf

Formbook

b092672d7f36d3deaab664c0a562b055f9cee3f247328e639aca58f025f979ca

Formbook

cfdb27a9ff39bd1aa5a0a43fe6e272c269a311f5748d8a13b2e705f7d66f16bd

Formbook

+ 8'580 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:46uq loader rat

Link:

https://tria.ge/reports/211117-l2tc1sade2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.liberia-infos.net/46uq/

Unpacked files

SH256 hash:

ff1617f3a5d1c41889a9ffe448ec461bdffcc05a823d7bce53d71cd352931c28

MD5 hash:

1e8e32ce8f04d3d466b7abbc22475707

SHA1 hash:

d69f42046f5fb4f9fb6035e1238707c81a39edb5

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/408d2517-fee0-4128-b0b3-3d90068b46ff/

Parent samples :

e7f1ace8723e30320b9e8bc3dc8a079c2d82d8c58b6ef7e0810ee4f661f5f141
96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3
c36c4e9b60d516ae00051b635624267123056adbbd874b7b9f67920dcb71aada
c50fdcefdf51c648404eb54eebcb81012e2c736252e232759c7eef5fac1d5174
f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
d176de3884899e94f7c82f1ad0b21e9f305d3d5d7d753cc701a880e01d692cad

SH256 hash:

86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f

MD5 hash:

bf5c170790a9378101dbc312303925e3

SHA1 hash:

bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8

Link:

https://www.unpac.me/results/408d2517-fee0-4128-b0b3-3d90068b46ff/

SH256 hash:

e1f93a350ab0a7ce4f7bba1bc44020e2052887a1ad0b5455778444049ec518cd

MD5 hash:

0c13ad9ff9672054b509df03c0b96b30

SHA1 hash:

7764106872c04a4ddc083b3d2f106f6706f349d0

Link:

https://www.unpac.me/results/408d2517-fee0-4128-b0b3-3d90068b46ff/

SH256 hash:

967fbaaed7d5782c81327fdb58207789f74c8e33de901e02c1e9295ecabbba0e

MD5 hash:

67b0d482cd0438eeffe87dea5a396d02

SHA1 hash:

736ed08ebb4c10098f293fa62b2b55336324130c

Link:

https://www.unpac.me/results/408d2517-fee0-4128-b0b3-3d90068b46ff/

SH256 hash:

96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3

MD5 hash:

9fcb723c209d94bce4bba9329f2afc67

SHA1 hash:

378492a828f10eeeee84fab591f9124d2da4dda8

Link:

https://www.unpac.me/results/408d2517-fee0-4128-b0b3-3d90068b46ff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/206752/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample