MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e
SHA3-384 hash: 31d423d3c798bf764fcf332a9a70311e83ae9738836f8075bd8dca498c0470949c4f97506a59984003a0e75c8362ef61
SHA1 hash: cf217d41e06f4c35eb00e8ad95bbfcd419a75424
MD5 hash: 5c4dd55a06141f850ddcedb9253ed84c
humanhash: dakota-batman-william-fifteen
File name:5c4dd55a06141f850ddcedb9253ed84c
Download: download sample
Signature Formbook
Create hunting rule
File size:775'168 bytes
First seen:2022-03-08 18:16:32 UTC
Last seen:2022-03-08 19:51:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:2PveLYfblXFoMLSSMPxX5454lshc1vm+y4MRx1uwRWh7j4b0Kw49keNR8he/OAC2:I1dFoMOSMPxO6qhc1vm+yFx1u0x1X+ha
Threatray 10'670 similar samples on MalwareBazaar
TLSH T138F48DACBB482B9AEF901AE2899650463D20374CA1CED6312F8FDE50F0E6C75597435F
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
encrypted
Create hunting rule
ID:
1
File name:
60fcf19d11208963f722192d0ba0d76d.zip
Verdict:
Malicious activity
Analysis date:
2022-03-08 12:49:10 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/50652d58-b7ce-4477-aad9-a7d55af59046

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248455/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.21756.8857.29940.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62279da6dfdfa8501c7b7b71/reports/ce183653-353c-4023-8071-c44d5baaecb4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76b08620-9a44-4776-bc85-c2ecc421c2fc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952869
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585348 Sample: 5Z30W7v8Y9 Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 31 www.755xy.xyz 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 12 other signatures 2->45 11 5Z30W7v8Y9.exe 1 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\5Z30W7v8Y9.exe.log, ASCII 11->29 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->55 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Injects a PE file into a foreign processes 11->61 15 TpmInit.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 33 califunder.com 141.95.173.164, 49817, 80 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 18->33 35 www.pynch2.com 18->35 37 2 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 msdt.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 18:17:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00d8e033e68ffe5f290339a1e00193b0376814bc8a27c8978b9b5e0de6b2823f
Formbook
39586764971f496d274f3d453029954720962ed36672050b742aef8b4e68a78e
Formbook
510bc545d130a8a3ba0761398b897e7f0840a393d7cd12d98699525e0eb8bfff
Formbook
5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1
Formbook
ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd
Formbook
afdf1b728a94beb99d17537a9caa1cad644b86725578ac3fb350cf30c9441e7b
Formbook
d3fae1feacb2e75560f838099213ae33385d6a0a11caa222a4f09024721e2720
Formbook
dae8588b604d0728a1a1ecc77096197a34ed1b22ae7de69a53f39b59e6574ffd
Formbook
e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c
Formbook
ea94995d23d53a98a949a242022cbd9bc5b7a4320c3fb6c045370b15704e4004
Formbook
+ 10'660 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p2a5 evasion loader persistence rat spyware stealer
Link:
https://tria.ge/reports/220308-ww2gjsacc3/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Xloader Payload
Xloader
Unpacked files
SH256 hash:
98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e
MD5 hash:
5c4dd55a06141f850ddcedb9253ed84c
SHA1 hash:
cf217d41e06f4c35eb00e8ad95bbfcd419a75424
Link:
https://www.unpac.me/results/a286ea7f-e51d-4af9-9b16-c2d7bd410498/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/98c9c20fcffa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2084648/
Cape
Cape
https://www.capesandbox.com/analysis/248455/

Comments


Avatar
zbet commented on 2022-03-08 18:16:34 UTC

url : hxxp://180.214.236.128/__protectcloudX/vbc.exe