MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3
SHA3-384 hash: 8ad516533cbbd905b4fcde124fb22daebabd050a2f49e64ecdbeabe79b761209f5d172041fafc3c984ad4ea19b526fbc
SHA1 hash: 36219c9148dafb036bc5871c440cbcf959d1b683
MD5 hash: 1c3047465bb31dd2ac45101680301992
humanhash: ink-south-fish-orange
File name:1c3047465bb31dd2ac45101680301992
Download: download sample
Signature Formbook
Create hunting rule
File size:779'264 bytes
First seen:2021-09-23 07:54:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:WMpJmtiK5oprN1v3aRXn7staBHSjLDXJbgqwfTGPQIb6CvdGk:ZJ+FopRd3ersABs/XNgxfTGPQIb6CvdG
Threatray 9'578 similar samples on MalwareBazaar
TLSH T15EF48AC86D888A03D3944672DC5D6246366C1C0A3723875BEBE53DBB3EFD2C3852D59A
File icon (PE):PE icon
dhash icon a28aa2e2e0aaa2a2 (14 x Formbook, 11 x AgentTesla, 5 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV MIGHTY CHAMP.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-23 06:20:01 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/e4017b34-aa94-4656-96cd-763e8906935c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190683/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45cf63aa-a446-4d3d-b606-9613bb57c229
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856270
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488701 Sample: eJRGpI4A6d Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 33 www.sapphiretype.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 eJRGpI4A6d.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\eJRGpI4A6d.exe.log, ASCII 11->31 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 eJRGpI4A6d.exe 11->15         started        18 eJRGpI4A6d.exe 11->18         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 15->20 injected process9 dnsIp10 35 cherrycooky.com 14.128.147.156, 49822, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 20->35 37 vps.28.com.cn 45.119.53.93, 49798, 80 CLOUDIE-AS-APCloudieLimitedHK China 20->37 39 8 other IPs or domains 20->39 49 System process connects to network (likely due to code injection or exploit) 20->49 24 rundll32.exe 20->24         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 24->51 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 07:48:12 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1076b9efbc0e135c85f1228253f9a1d2f35f4fd49c70d290de72808f72bd56eb
Formbook
115716164b2092df207c750d11a2b4ce05bee204b7f21f1f62d93a5b7d78afa1
Formbook
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
Formbook
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
Formbook
ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4
Formbook
f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
Formbook
+ 9'568 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:arup loader rat
Link:
https://tria.ge/reports/210923-jr5xysdbb3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.sapphiretype.com/arup/
Unpacked files
SH256 hash:
0a91d1253212a874adb2615f72362fd63c31f5ac1c9008c12def5e2fe07ed9d1
MD5 hash:
9c9e1dc29cf7f94a4f99a66d1c00f6e1
SHA1 hash:
5e72a46f4aefa6d02c29fcf1acc4ac60bf03ec75
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d7a4edea-bda5-4345-975d-071ef3a86493/
Parent samples :
995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3
d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/d7a4edea-bda5-4345-975d-071ef3a86493/
SH256 hash:
ca1a2973237396f03b76f8939677973d426a7955b47d1dd9880f2d4fa78d2a12
MD5 hash:
ed1c91aa48efd69a8ded8edd300add4a
SHA1 hash:
763a751ab64a2b69bd59e3b84354ecee2aa54520
Link:
https://www.unpac.me/results/d7a4edea-bda5-4345-975d-071ef3a86493/
SH256 hash:
de15510ee4c6c3b404acf2c4edf06e99a1b9d8617034e22440402a27e5e41550
MD5 hash:
a200ee6b3c585a0ded17f37d9a712bcb
SHA1 hash:
5ef606b2b223cb40f643482add4f688adccad4f3
Link:
https://www.unpac.me/results/d7a4edea-bda5-4345-975d-071ef3a86493/
SH256 hash:
995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3
MD5 hash:
1c3047465bb31dd2ac45101680301992
SHA1 hash:
36219c9148dafb036bc5871c440cbcf959d1b683
Link:
https://www.unpac.me/results/d7a4edea-bda5-4345-975d-071ef3a86493/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190683/
  
URLhaus
https://urlhaus.abuse.ch/url/1640578/

Comments


Avatar
zbet commented on 2021-09-23 07:54:57 UTC

url : hxxp://198.23.212.143/wee/vbc.exe