MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99714288e33f3da9fd0bffa08767fc02aa0d014dba4352aa5ce5ecbe8f94f0f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99714288e33f3da9fd0bffa08767fc02aa0d014dba4352aa5ce5ecbe8f94f0f1
SHA3-384 hash: e0ed93bf335e2e9067e420ff9611a4f9b183643764f8f0ed59ab0d93674f00b7ed37c1b8ea2c34db768099553d66d57b
SHA1 hash: b62a4f0b6a119ea7c629c23e4afb67a4b13f3f21
MD5 hash: 4793724aa393e35f8cf54797453a25d6
humanhash: jig-quiet-vegan-washington
File name:4793724aa393e35f8cf54797453a25d6
Download: download sample
Signature Formbook
Create hunting rule
File size:1'116'160 bytes
First seen:2021-08-27 08:59:04 UTC
Last seen:2021-08-27 13:03:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:Ycgh6noMebNC6+S1+qkGLeKWvzLvpwgZeD6u:YqoZZC6+sPZLRWvPpwgZ
Threatray 8'443 similar samples on MalwareBazaar
TLSH T11235E43D29FD2627D1B9C7BACBE09827F15498AF3111A96468D343AA4352F4275C323F
dhash icon d1130367677b1e8d (7 x AgentTesla, 5 x Formbook, 5 x Loki)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
357
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4793724aa393e35f8cf54797453a25d6
Verdict:
Suspicious activity
Analysis date:
2021-08-27 09:00:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b6a7db67-77ea-44ee-868e-ac0606be7ce1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182893/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5276a104-3525-440b-a5fc-61f4f1cf19ab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840298
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472730 Sample: seF2Q1KaM9 Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 35 www.sanjosedroneservices.com 2->35 37 www.wandallia.com 2->37 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 6 other signatures 2->53 10 seF2Q1KaM9.exe 3 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\seF2Q1KaM9.exe.log, ASCII 10->27 dropped 55 Tries to detect virtualization through RDTSC time measurements 10->55 57 Injects a PE file into a foreign processes 10->57 14 seF2Q1KaM9.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 msdt.exe 12 14->17         started        21 explorer.exe 14->21 injected process9 dnsIp10 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Tries to detect virtualization through RDTSC time measurements 17->43 23 cmd.exe 1 17->23         started        29 www.thesmarterhold.com 91.195.240.117, 49719, 80 SEDO-ASDE Germany 21->29 31 www.justicegirlssliponslippers.com 173.255.194.134, 49716, 80 LINODE-APLinodeLLCUS United States 21->31 33 5 other IPs or domains 21->33 45 System process connects to network (likely due to code injection or exploit) 21->45 signatures11 process12 process13 25 conhost.exe 23->25         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/99714288e33f3da9fd0bffa08767fc02aa0d014dba4352aa5ce5ecbe8f94f0f1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 08:59:14 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4afb539f79059c70d141775ea9d479cfd95bbe4d6ef900c996cee8262a166bfc
Formbook
503f83e4dea1cb3a70d4c309471ea87756a2465c64533d2ea7103b37bd787788
Formbook
54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729
Formbook
62df68b2db0b080a2e963f0c082b5df7b15819032e11fbe5e9dfcfb8d143f61e
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
cf993c713cfe3b22bd4978530f420e2dc54c38d106ad5fc5a9aacb1e377b81e2
Formbook
db1a8d7d27c500facb7e8e5c30ff3c9d901c51a550ebdad36e741d518b628c30
Formbook
dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609
Formbook
+ 8'433 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:24ng loader rat
Link:
https://tria.ge/reports/210827-wbxcg5bv9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.mercurydatas.com/24ng/
Unpacked files
SH256 hash:
6c14b740a9a61476a13c3139ebedde37269391a34155b5e1d51b0ba0647022f1
MD5 hash:
0ad138485ef8d85137cd458293bd9b34
SHA1 hash:
e9e60d484b8b7d79d22b1155e38ee9e3c2fc2bc0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/afccdeaf-2ae2-43e3-b1c0-84f62f8e44ee/
Parent samples :
99714288e33f3da9fd0bffa08767fc02aa0d014dba4352aa5ce5ecbe8f94f0f1
687b91a38a011ab52837bde98b31b5b2efb06151a8ae940c03096cd9fe87e9da
c8754a0701ed69c237eb6e69f2dd6e026ab385a949940506d64fb4872c1f308f
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/afccdeaf-2ae2-43e3-b1c0-84f62f8e44ee/
SH256 hash:
6f3b70078fe9df0f1710c92eed4ed4fdbe484d778692e06e5806382f72cc4838
MD5 hash:
0a30777f7f87bb23006bbc9c4e8abb39
SHA1 hash:
58eac72c7718748788f14358cf25d1f1cbdb8c08
Link:
https://www.unpac.me/results/afccdeaf-2ae2-43e3-b1c0-84f62f8e44ee/
SH256 hash:
99714288e33f3da9fd0bffa08767fc02aa0d014dba4352aa5ce5ecbe8f94f0f1
MD5 hash:
4793724aa393e35f8cf54797453a25d6
SHA1 hash:
b62a4f0b6a119ea7c629c23e4afb67a4b13f3f21
Link:
https://www.unpac.me/results/afccdeaf-2ae2-43e3-b1c0-84f62f8e44ee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/99714288e33f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/99714288e33f3da9fd0bffa08767fc02aa0d014dba4352aa5ce5ecbe8f94f0f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 99714288e33f3da9fd0bffa08767fc02aa0d014dba4352aa5ce5ecbe8f94f0f1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182893/
  
URLhaus
https://urlhaus.abuse.ch/url/1569099/

Comments


Avatar
zbet commented on 2021-08-27 08:59:05 UTC

url : hxxp://103.133.106.199/icici/vbc.exe