MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a22ca7acaf7bfae77ff56f08b010ac618fb6ed2d6faddfc593b6f552c0e86f5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a22ca7acaf7bfae77ff56f08b010ac618fb6ed2d6faddfc593b6f552c0e86f5b
SHA3-384 hash: 77fc31544ecd658d99290fafde3bbc741df6cf0905f5adf4cd1eb2fed99d9dce49ea4c123b293d5420206d3b6e122144
SHA1 hash: 2bed59602e66709610e9604d36b660b14e11a5ed
MD5 hash: ee36eeb8ab56f4134c2edb220fdaa9a1
humanhash: four-magnesium-carolina-north
File name:aEe8yIoysWwr3Oj.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:582'144 bytes
First seen:2022-05-16 07:09:29 UTC
Last seen:2022-05-16 11:11:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UJNZ6VDSZRhkPkmuRn3g4Idz9l3icVNO2z6csETbYn1KJvP802B6Q:aD3RnrIt9zN1vbe1K
Threatray 11'495 similar samples on MalwareBazaar
TLSH T1F0C4E0DC322436EFD85BC47ADAA92CB4AA60747B531B9213A42781ED9D4D987CF140F3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c0b0c6c8a896a0c0 (20 x AgentTesla, 19 x Formbook, 12 x Loki)
Reporter pr0xylife
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
aEe8yIoysWwr3Oj.exe
Verdict:
Malicious activity
Analysis date:
2022-05-16 07:54:11 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/6f0539ee-bf15-4319-ac42-8e7a7f8ba52e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270914/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6281f8db6b2a366ce414203b/reports/0182721b-6a91-4861-9f19-4eec4a285e8e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab1d47dd-02a4-469f-8c1c-b5164b129555
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994634
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 627130 Sample: aEe8yIoysWwr3Oj.exe Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 7 other signatures 2->37 9 aEe8yIoysWwr3Oj.exe 3 2->9         started        process3 file4 29 C:\Users\user\...\aEe8yIoysWwr3Oj.exe.log, ASCII 9->29 dropped 47 Tries to detect virtualization through RDTSC time measurements 9->47 49 Injects a PE file into a foreign processes 9->49 13 aEe8yIoysWwr3Oj.exe 9->13         started        16 aEe8yIoysWwr3Oj.exe 9->16         started        signatures5 process6 signatures7 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 18 wlanext.exe 13->18         started        21 explorer.exe 13->21 injected process8 signatures9 39 Self deletion via cmd delete 18->39 41 Modifies the context of a thread in another process (thread injection) 18->41 43 Maps a DLL or memory area into another process 18->43 45 Tries to detect virtualization through RDTSC time measurements 18->45 23 cmd.exe 1 18->23         started        25 explorer.exe 151 18->25         started        process10 process11 27 conhost.exe 23->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a22ca7acaf7bfae77ff56f08b010ac618fb6ed2d6faddfc593b6f552c0e86f5b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 06:39:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uiwkplfppp5oo77vn4elaefmmgh3n3jnn6w57rmtw32vfqhin5nq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b547b6fbd2328c64aab9806e3617ec953098db3af45a2546697d9ca7ee838c9
Formbook
19a007d4980b99ea32ee2d9feb1c7479ee4c7b165b159fd4fbd33622b661009d
Formbook
232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c
Formbook
5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1
Formbook
6532ef52b6dc45894c81610a5f29adf7b5668da4014bd0bbe549f31657b80633
Formbook
b8d8a8ab682956d7abd31c4fa49690ece5f9349ea7753e83243ef5a933df4684
Formbook
bef0d9edea1dd55695f0490efa9a9dfaefeff5154dc56f407391781dc7e0ed4c
Formbook
c229dfc2fbeae18ab1517a096e4b53639144648a9e6d1bd74d0174ce90a4ecb6
Formbook
e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c
Formbook
fed1f0c660904ecb7465c29594741e048485c6bdd792f8b745e9f12a9b40367f
Formbook
+ 11'485 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:usps loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220516-hzc2gafec9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
cff04f25330da07fa60a88720273f3806dbbaf107ec634adbd9a26fec5adda68
MD5 hash:
51bce2cd04f98ceb38fcb4d3be5b05c1
SHA1 hash:
21ce391350d5e925252049c0e04c95252910bfb6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/60e164b1-adf8-477a-b33d-2bc0716acce4/
Parent samples :
a22ca7acaf7bfae77ff56f08b010ac618fb6ed2d6faddfc593b6f552c0e86f5b
3ab5efb42def342934ed461b4247037bb89eb0bb25fe12d33ac79f448aaf9eb7
2c0d3399664b5cde939a235ecd72cf708c48e8c7994eb2973b0d235aa475fbc7
5fe21adc879b7c46be96deb69eb55316d0f4834a039e151f77f8cd37974b798c
SH256 hash:
da49093a5e9d497b1acae77588b4d9b48c2aa28376a63829940f3495fc9b7d89
MD5 hash:
2edaa68912e1f976170b62cfcc597e87
SHA1 hash:
cfe143bdd5076e53cc6541220ed7102f66be76e1
Link:
https://www.unpac.me/results/60e164b1-adf8-477a-b33d-2bc0716acce4/
SH256 hash:
709fdbef8932044e42231f14888aa12b12ddc571e6daba8af86d624a39fa63bf
MD5 hash:
a7a6647650fe0204d1ab042824d638be
SHA1 hash:
a1194aba19ab6190a412073fe1918cd1b559aacf
Link:
https://www.unpac.me/results/60e164b1-adf8-477a-b33d-2bc0716acce4/
SH256 hash:
e90e0ff2f5f6fd9cfc2a1c41db18e5d3e199f11d816e7497b6e8c7a7ef373ad8
MD5 hash:
d532913f25445c3e7616ac6373ab9c22
SHA1 hash:
1d0cbbd5627cabbdcd6c5aadbe94b0c79913179e
Link:
https://www.unpac.me/results/60e164b1-adf8-477a-b33d-2bc0716acce4/
SH256 hash:
a22ca7acaf7bfae77ff56f08b010ac618fb6ed2d6faddfc593b6f552c0e86f5b
MD5 hash:
ee36eeb8ab56f4134c2edb220fdaa9a1
SHA1 hash:
2bed59602e66709610e9604d36b660b14e11a5ed
Link:
https://www.unpac.me/results/60e164b1-adf8-477a-b33d-2bc0716acce4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a22ca7acaf7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a22ca7acaf7bfae77ff56f08b010ac618fb6ed2d6faddfc593b6f552c0e86f5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270914/

Comments