MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98c5f71d1ac18c35000b1526179301ad5f7ebc3a1ec1af1f7612fa88f8932286. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98c5f71d1ac18c35000b1526179301ad5f7ebc3a1ec1af1f7612fa88f8932286
SHA3-384 hash: 95342ccad695278700a7e68ff50845370a0811638605457a55e8ed3490306f42aaa24c961530f8a66b908ad0dc1b8700
SHA1 hash: 7cc1fd8d7fa4d69fa2e2867a421e3b526cf6d435
MD5 hash: ca614059519167badabd790a5c1faf57
humanhash: stream-bacon-six-tango
File name:ca614059519167badabd790a5c1faf57
Download: download sample
Signature Formbook
Create hunting rule
File size:1'204'224 bytes
First seen:2022-04-04 16:48:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:I1GuyRumUaMJyOgby/Ux4oJ7FDKhWyE9+:IIAmUawupJZCW1g
Threatray 11'887 similar samples on MalwareBazaar
TLSH T1F2457D6AA742D0C4FA6E24B2CDA0FBF0051BBD7BDE0A1D1711563F82707B69B563A143
File icon (PE):PE icon
dhash icon 71f0f0d4ccccf070 (8 x AgentTesla, 3 x Formbook, 2 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260694/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/624b218ddb9ca5cf841d20f6/reports/34656835-423c-4704-bed2-5611659df7d4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c703c906-b5c6-4d4c-a167-6321215369c2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970282
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 602770 Sample: u1fnOOzIQp Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 45 www.yads.house 2->45 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 12 other signatures 2->59 11 u1fnOOzIQp.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\FRwYoRnAj.exe, PE32 11->37 dropped 39 C:\Users\...\FRwYoRnAj.exe:Zone.Identifier, ASCII 11->39 dropped 41 C:\Users\user\AppData\Local\...\tmp16C7.tmp, XML 11->41 dropped 43 C:\Users\user\AppData\...\u1fnOOzIQp.exe.log, ASCII 11->43 dropped 63 Uses schtasks.exe or at.exe to add and modify task schedules 11->63 65 Adds a directory exclusion to Windows Defender 11->65 15 RegSvcs.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 2 other signatures 15->77 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process9 dnsIp10 47 kellyhousecleaningdrywall.com 108.179.242.226, 49782, 80 UNIFIEDLAYER-AS-1US United States 22->47 49 lanturalperu.com 157.90.212.15, 49781, 80 REDIRISRedIRISAutonomousSystemES United States 22->49 51 4 other IPs or domains 22->51 61 System process connects to network (likely due to code injection or exploit) 22->61 30 msiexec.exe 22->30         started        signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 30->67 69 Maps a DLL or memory area into another process 30->69 33 cmd.exe 1 30->33         started        process14 process15 35 conhost.exe 33->35         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/98c5f71d1ac18c35000b1526179301ad5f7ebc3a1ec1af1f7612fa88f8932286/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 16:49:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdc7ohi2yggdkaalcutbpeybvvpx5pb2d3a26h3wcl5ir6etekda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08bb3c1e40fec4d0cec3b6cf4d0cc4363b5f3544358d77ba94611a812f1eac62
Formbook
4d0c9dd68f5700d34f7567ded0e1dc4a1e958edb4edcc32eb9557ab69e7d90e2
Formbook
5d199f6e3b18707bf891e790552a097e326cb170308a95d4915b1a8e1718a4cf
Formbook
bc5116cdc710b153d2c32a9ecb5bccd7f3ed3c4cee398b9eba9f482dc5c77cd1
Formbook
cd76d4063992bb159bf31d7cc4ff6dcb4acbbb2c47b5cd6a1de03e5f60bb5c6e
Formbook
dc36fc5d4c108d54e3a2a4a5309f87093f484e4bc928158c0a749417052f6f56
Formbook
f4bef0754be1d8e60471746bb06004a86ab38cb0ffb281973fd45f81b610307e
Formbook
fd47fb1d9ae6d4fa2d64afcc600498076f0f8803cb134782723c4a8bd0ae81b4
Formbook
+ 11'877 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:mj6u loader rat suricata
Link:
https://tria.ge/reports/220404-vbm8radbfm/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4
MD5 hash:
bfcf754fb9acba752f79f44817b7be23
SHA1 hash:
01af19456b6f97790973d0d67a97ecc362ab7aed
Link:
https://www.unpac.me/results/104dae04-6294-4229-8520-82375dc43505/
SH256 hash:
bda8b27724eb96be79e7c0232cce488ff2736cf71f10fa37924ebe1b4709b022
MD5 hash:
d01fff204595579fd51b471ae96b144e
SHA1 hash:
bc7590a4aa11d4b6d7e288b110f50b045fed4878
Link:
https://www.unpac.me/results/104dae04-6294-4229-8520-82375dc43505/
SH256 hash:
59a0cc159dfc369c4fa6dce1b6fb57b5a1604c2ad9437ff6d88c949dcd8e9b41
MD5 hash:
8086e1a0ba3bca5e953b99d58a38a692
SHA1 hash:
ff927e633a82af08ea6813b22ddf0e787001889d
Link:
https://www.unpac.me/results/104dae04-6294-4229-8520-82375dc43505/
SH256 hash:
57fb1cea314c8c55bb795baffdb7bdf2e333fb8a88713179cf1fa292db26e56a
MD5 hash:
4aaa746e2f2146c48e7ae1282c88f93e
SHA1 hash:
3a8abe4d36b09bd3ccf5f93c9b277e13cdc62ea8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/104dae04-6294-4229-8520-82375dc43505/
Parent samples :
98c5f71d1ac18c35000b1526179301ad5f7ebc3a1ec1af1f7612fa88f8932286
6aecf2a84c05d52c3789b9b22ef5c046eed5dee698e2d94d61cda7219d32bb00
SH256 hash:
98c5f71d1ac18c35000b1526179301ad5f7ebc3a1ec1af1f7612fa88f8932286
MD5 hash:
ca614059519167badabd790a5c1faf57
SHA1 hash:
7cc1fd8d7fa4d69fa2e2867a421e3b526cf6d435
Link:
https://www.unpac.me/results/104dae04-6294-4229-8520-82375dc43505/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98c5f71d1ac18c35000b1526179301ad5f7ebc3a1ec1af1f7612fa88f8932286

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 98c5f71d1ac18c35000b1526179301ad5f7ebc3a1ec1af1f7612fa88f8932286

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2130941/
Cape
Cape
https://www.capesandbox.com/analysis/260694/

Comments


Avatar
zbet commented on 2022-04-04 16:48:18 UTC

url : hxxp://45.133.174.55/80/vbc.exe