MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a273caaec30c51f646c6b2d4e6d4823e01f510f3d48ceb963664e50c1e3a5f31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a273caaec30c51f646c6b2d4e6d4823e01f510f3d48ceb963664e50c1e3a5f31
SHA3-384 hash: b6951753f54b816a9cff5665eee81b7839cc0b651b52a291e0cae3dfa84eb49f43cc0fe8698b0fb41372ed38e143c513
SHA1 hash: dd43dffcc5adeefaca764ae057589736f2edb132
MD5 hash: cc1b7fc64e141854bc75f1b0a56b028a
humanhash: texas-item-delta-washington
File name:ADV.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:785'920 bytes
First seen:2021-10-01 08:19:22 UTC
Last seen:2021-10-01 11:05:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:a2pV2dIF/OX+DqqOZqZo1PfR06p6rFTv63IgyjhZ7peW:rV2dIFjGq4qK1Ppp6FTSyhy
Threatray 9'775 similar samples on MalwareBazaar
TLSH T11BF47B27B1EC8AEEC09F45BAAC55F31C46A1AD0A3249CE859E82F4DD15B573110F386F
File icon (PE):PE icon
dhash icon e4ccccccd4c4cccc (10 x Formbook, 10 x AgentTesla, 5 x Loki)
Reporter ankit_anubhav
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ADV.EXE
Verdict:
Malicious activity
Analysis date:
2021-10-01 08:24:18 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/2daa912d-cb50-4852-b3be-514986da7bda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193929/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1048-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85583445-cc03-47f4-a3dc-49d40a5105eb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862582
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495010 Sample: ADV.EXE Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 34 www.tokyorobots.xyz 2->34 36 www.emberandfawn.com 2->36 38 ext-cust.squarespace.com 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 7 other signatures 2->48 11 ADV.EXE 3 2->11         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 11->58 60 Injects a PE file into a foreign processes 11->60 14 ADV.EXE 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 28 multitraficoonline.com 108.167.141.141, 49827, 80 UNIFIEDLAYER-AS-1US United States 17->28 30 houseathomes.com 203.146.140.8, 49832, 80 CSLOX-IDC-AS-APCSLOXINFOPublicCompanyLimitedTH Thailand 17->30 32 7 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 wscript.exe 17->21         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 21->50 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a273caaec30c51f646c6b2d4e6d4823e01f510f3d48ceb963664e50c1e3a5f31/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 08:20:15 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c22acaa973cbb781aea92dc1fb5a8c7cc1fd2abd403f2a6b9703f8f1e1c8657
Formbook
1076b9efbc0e135c85f1228253f9a1d2f35f4fd49c70d290de72808f72bd56eb
Formbook
166559731ad15341f955bf8a16708f93542bef868c33f02f70e9b27f57b991a3
Formbook
1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
Formbook
2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776
Formbook
2dc7525f9ee6e09a25f840b457bf5b0ba228c4697e1f3d4b81bd2964d2eafc61
Formbook
64e3a0f2298f21833eb7a9c51aa0b2b8d3354bdcefb0156bb34371e3163d8b3d
Formbook
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
Formbook
978a3b17f431b7ed469cd02080d82e4fb9d0b578417d061739fa790af3fb2741
Formbook
c4c9d27ea805c32e7f0e66dc0d9534d8fbd87f4c1327727b2e1e9ae937f02c45
Formbook
+ 9'765 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gtc5 loader rat
Link:
https://tria.ge/reports/211001-j8fdmabcf3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.studio-pdx.com/gtc5/
Unpacked files
SH256 hash:
0d22e6a80d0684b30db3161e65f6879cbc0e41064c8653a37f4b2a6f658e0abb
MD5 hash:
d7a20e4346a10b4881242f15d75277da
SHA1 hash:
cb7f6d4e0e7b8e055f29e8ba7e6bc94cb3105502
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/78a1e102-b88c-45ba-9171-aa992a7ab3e6/
Parent samples :
a273caaec30c51f646c6b2d4e6d4823e01f510f3d48ceb963664e50c1e3a5f31
b08439619eb9a7986938fbb7dfbb6b36999937e531c9b739d45fe5373af5b71a
SH256 hash:
f71a420e9fad78b250d785e2606b3cf6d3e70727b64a76f2a10054b68aa38437
MD5 hash:
1b01b7b6056b75cde41f7a3d81636fa0
SHA1 hash:
bd88e7d2507734e642f67441a4298aa9b724116d
Link:
https://www.unpac.me/results/78a1e102-b88c-45ba-9171-aa992a7ab3e6/
SH256 hash:
90fafd1ac75008f31d0b5ebf233262118599186d71d30d2bdf1aa5ebbd0b8e5d
MD5 hash:
9f736e9e7219d584a80fcdc092689561
SHA1 hash:
b22668dee30b6077ee9e6da10b10b15c812b9c13
Link:
https://www.unpac.me/results/78a1e102-b88c-45ba-9171-aa992a7ab3e6/
SH256 hash:
1396d0d14aedfd45ff68d105e80a7e0ad07477bea946785c023bda1559fc5fc3
MD5 hash:
aadb56203ad6e2e7e658c879caa9a2cf
SHA1 hash:
561e24e927476b16899fecd2cd0ece4c372eab36
Link:
https://www.unpac.me/results/78a1e102-b88c-45ba-9171-aa992a7ab3e6/
SH256 hash:
a273caaec30c51f646c6b2d4e6d4823e01f510f3d48ceb963664e50c1e3a5f31
MD5 hash:
cc1b7fc64e141854bc75f1b0a56b028a
SHA1 hash:
dd43dffcc5adeefaca764ae057589736f2edb132
Link:
https://www.unpac.me/results/78a1e102-b88c-45ba-9171-aa992a7ab3e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/a273caaec30c51f646c6b2d4e6d4823e01f510f3d48ceb963664e50c1e3a5f31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/193929/

Comments