MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
SHA3-384 hash: 5c750fca7d9f70135856936e95ebed8465f73930fe566c80fe914f68381dcc075d9a9fb931c671fff857a3b148305120
SHA1 hash: 886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
MD5 hash: 47fa27443cb1abe987ca9f653754b6d0
humanhash: eight-three-april-lithium
File name:47fa27443cb1abe987ca9f653754b6d0
Download: download sample
Signature Formbook
Create hunting rule
File size:711'168 bytes
First seen:2021-08-26 12:58:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 34279dc80317d1d92e4cc4f07cdb3a94 (1 x RemcosRAT, 1 x Formbook)
ssdeep 12288:OlaDZ6+Eis2xF7S3/6nYpH5hQVsqjGhH/LGE9jhbO:OsD8GxF4FpHPYj+HTGEVVO
Threatray 8'502 similar samples on MalwareBazaar
TLSH T163E47D52A294517FC1B765B96C59B63BF86ABD403E38DC853AE33C5D4B3C1E03A22352
dhash icon f8e88ea482a8a888 (8 x RemcosRAT, 1 x AveMariaRAT, 1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI_55034455.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-26 12:16:13 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/9912438e-9d65-4ad5-96e1-e12fbf8276d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182656/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
DNS request
Connection attempt
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/657efd16-8f16-4a97-a5ac-69a1c1e854f6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839767
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472194 Sample: fD7qW1Onk0 Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 42 zaxuiw.bn.files.1drv.com 2->42 44 onedrive.live.com 2->44 46 bn-files.fe.1drv.com 2->46 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 4 other signatures 2->60 9 fD7qW1Onk0.exe 1 25 2->9         started        signatures3 process4 dnsIp5 48 192.168.2.1 unknown unknown 9->48 50 zaxuiw.bn.files.1drv.com 9->50 52 2 other IPs or domains 9->52 40 C:\Users\Public\Libraries\...\Zpxtgza.exe, PE32 9->40 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Creates a thread in another existing process (thread injection) 9->66 68 Injects a PE file into a foreign processes 9->68 14 secinit.exe 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        file6 signatures7 process8 signatures9 70 Maps a DLL or memory area into another process 14->70 72 Tries to detect virtualization through RDTSC time measurements 14->72 21 explorer.exe 4 5 14->21 injected 23 reg.exe 1 17->23         started        25 conhost.exe 17->25         started        27 cmd.exe 1 19->27         started        29 conhost.exe 19->29         started        process10 process11 31 Zpxtgza.exe 21->31         started        34 Zpxtgza.exe 21->34         started        36 conhost.exe 23->36         started        38 conhost.exe 27->38         started        signatures12 74 Multi AV Scanner detection for dropped file 31->74 76 Machine Learning detection for dropped file 31->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 12:59:09 UTC
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=veaqiipks7aqvnqupzwfa572wklagcytyjvwmrkqfnqwlyxj2tnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
22bd5ba035c9dcdda222f812537d8b49241b50c55042fd3b902ca8b36d17a398
Formbook
300dd45e5b41e94c62a67a53d6ba458816711b5168e91d7a5b04493bd36c5f0d
Formbook
38ba862149962bc5a10825a2b818391624cda439fcb3f6212b75d84eeeb4f70c
Formbook
672795699cca5d2353cd8a39ea7d1c0f2a779b3c943a7c3630884b2141a82214
Formbook
6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
Formbook
8855c73a66320b1d62c22f7af62feb301d13e4b68f4edfba64bf47473ad58c4a
Formbook
9b795b925c16454a770214d5ef56ee695a5f562498d4d276cf160fbc13162c15
Formbook
a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26
Formbook
c65e9659dc7d97331803b2137d4d7e0a47869eca75d718ea9f92397dcd68eb55
Formbook
+ 8'492 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:ecuu loader persistence rat trojan
Link:
https://tria.ge/reports/210826-ntzcsq6zvs/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Adds policy Run key to start application
Xloader Payload
ModiLoader, DBatLoader
Xloader
Malware Config
C2 Extraction:
http://www.polaritelibrairie.com/ecuu/
Unpacked files
SH256 hash:
4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744
MD5 hash:
aa23dee2c34813d67fe9c67ec784782a
SHA1 hash:
10b2e7af7cb9d6f852e6d607875a8c9613538930
Link:
https://www.unpac.me/results/cdf03ea5-dfaa-4a60-9d28-e9212c53ce2e/
SH256 hash:
a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
MD5 hash:
47fa27443cb1abe987ca9f653754b6d0
SHA1 hash:
886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
Link:
https://www.unpac.me/results/cdf03ea5-dfaa-4a60-9d28-e9212c53ce2e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a9010421ea97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182656/

Comments


Avatar
zbet commented on 2021-08-26 12:58:49 UTC

url : hxxp://198.12.107.114/union/vbc.exe