MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9
SHA3-384 hash: 8e7a475c8acf6be1bddf2b447cb7d2adabdfa5a9e3f9d61e4b3a8938de83264cd011f371907a8b15b21cbd215628ef4b
SHA1 hash: 820ee9b16690bbb893f036b61a436ff126c4f841
MD5 hash: 1359ae1847f22700703a538be1e7ba4a
humanhash: mockingbird-alabama-single-lemon
File name:Minutes of Meeting 22062021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'195'520 bytes
First seen:2021-06-25 06:14:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:n6j8+bAaMd3REebAaMd3gm2DiSlJMA9kzFT56ciQh6tIkAT1S:6VAaMVRE2AaMV52/DRghUIkAZ
Threatray 6'032 similar samples on MalwareBazaar
TLSH 0C45F11429D5901AE176BF7859E0E6F98B6F7FA27B13C40D28E13E473633B429E80179
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Minutes of Meeting 22062021.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 06:19:07 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/003acd62-0801-4d99-badf-645daf23d0c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168222/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20210624-1103.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e02d0b1a-8749-426d-80ff-4e4398a6dc54
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807925
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440336 Sample: Minutes of Meeting 22062021.exe Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 27 www.pohanc.net 2->27 29 www.cloudservices.technology 2->29 31 cloudservices.technology 2->31 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 9 Minutes of Meeting 22062021.exe 3 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 25 C:\...\Minutes of Meeting 22062021.exe.log, ASCII 9->25 dropped 57 Injects a PE file into a foreign processes 9->57 16 Minutes of Meeting 22062021.exe 9->16         started        33 jukeboxjeffdj.com 108.167.156.42, 49727, 80 UNIFIEDLAYER-AS-1US United States 13->33 35 www.eaornti.com 111.90.147.240, 49745, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 13->35 37 20 other IPs or domains 13->37 59 System process connects to network (likely due to code injection or exploit) 13->59 19 help.exe 13->19         started        file6 signatures7 process8 signatures9 39 Modifies the context of a thread in another process (thread injection) 16->39 41 Maps a DLL or memory area into another process 16->41 43 Sample uses process hollowing technique 16->43 45 Queues an APC in another process (thread injection) 16->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 21 cmd.exe 1 19->21         started        process10 process11 23 conhost.exe 21->23         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 08:32:32 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukov3hnon6mtpqpq3t3tgay7gr4notzsnqmrg4t6xhtf4u6ifk4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3755206dc18df104854e076d74799c1d83d6cb6acb22a7aa22ec595c56e31abc
Formbook
660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f
Formbook
66b02d69d4eff510190fb38504be6dcf9f94d28f14b0569c7d1cd36bfb78983d
Formbook
67b662f28ef6c6a148443ebece272e63e7eeb9d366032b4366fe459b7c5c41f8
Formbook
69be518fd3748193be11e41acb1fb3e674b6c3f898193dec0c595bf450b19cf8
Formbook
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
Formbook
b18cada45b281365bf225c30a5ec0b58a85f6cae6abb486cc734d345446eaf7b
Formbook
c935e13396041731908b9fbb5c4e74c38b9f374eb9a47d419038ac539008c94c
Formbook
d337cba627486e1f99e4a96407591609d888c6656a4010b88047e7cd1ab19482
Formbook
e66332c1c306b3072699f986229b07b6230edf4b46b5b46a2e535621be13021f
Formbook
+ 6'022 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210625-4hxk26mx82/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.wwwgraciescottage.com/u9pi/
Unpacked files
SH256 hash:
66f738d9107d8d19daa99d684e5473285116537e0bb3f8089ca32b269eee22a2
MD5 hash:
046399038b945b76e72ba6bb1ccee8a1
SHA1 hash:
3f6ca561723b3d79f4373c60e6c5a17eccbbc947
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8abe8944-2e0d-464d-b1ca-1c5d6f87bf69/
Parent samples :
66b02d69d4eff510190fb38504be6dcf9f94d28f14b0569c7d1cd36bfb78983d
a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9
e47843b7ef3c9825c787ff7fae69cfbd4759a21e81da4e800746af5b7937c45b
8a403d5866d98e6da02683d365c982c0089b338f92d2e2fe7b5ae099dbaa635b
19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156
SH256 hash:
71841d87523411cd8d9814cd21e0cdb036604e4ebe7d0feaab2b75d8609460de
MD5 hash:
ccec30afc370ebbe698bad4ff4f8ef2a
SHA1 hash:
ead6475c587849b2741177217caf406fa510c420
Link:
https://www.unpac.me/results/8abe8944-2e0d-464d-b1ca-1c5d6f87bf69/
SH256 hash:
06306e33b7e10429759ab8c42e31e9eb8edbd76c4f1a792a5c231a57876ea338
MD5 hash:
5bdd03077864d32db51b085294859f68
SHA1 hash:
70392a93a4c8be2377915fd6e6d3e7a3a9600adf
Link:
https://www.unpac.me/results/8abe8944-2e0d-464d-b1ca-1c5d6f87bf69/
SH256 hash:
a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9
MD5 hash:
1359ae1847f22700703a538be1e7ba4a
SHA1 hash:
820ee9b16690bbb893f036b61a436ff126c4f841
Link:
https://www.unpac.me/results/8abe8944-2e0d-464d-b1ca-1c5d6f87bf69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz a05c75cc33b9e7a07f7fed5462e81d59577a90de4f0460ebea2e11865bd944d5

Formbook

Executable exe a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a05c75cc33b9e7a07f7fed5462e81d59577a90de4f0460ebea2e11865bd944d5
Cape
Cape
https://www.capesandbox.com/analysis/168222/

Comments