MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5
SHA3-384 hash: 07c6d285d4409ffbd2c377eff67f91e34a5d2735025e46ea1ff8d4c103e7dd62b8de36fa693236034b27774f712f5fc8
SHA1 hash: 204762dbb01579ea39295660d86085591578e0a1
MD5 hash: 03c738a9106a7ba9bad7f4995d52f028
humanhash: iowa-india-pizza-illinois
File name:Confirmation transfer Ref No_0033463247892.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:911'872 bytes
First seen:2022-12-08 10:06:02 UTC
Last seen:2022-12-08 11:38:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:jmRx3Gdhk0yClxNwArBMQm8i9eXiDdEPf:jmr32hkGFxBlmFezP
TLSH T1A615D09033A6AF71F5286BF37521804827B62C6EA5F1C6296DCDF0DE2671B4149F0B27
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 32c29292b2e88e82 (7 x Formbook, 6 x RemcosRAT, 2 x AgentTesla)
Reporter ankit_anubhav
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
https://files.catbox.moe/cr8roy.zip
Verdict:
Malicious activity
Analysis date:
2022-12-07 05:51:17 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/5054ce9d-02c1-4e9e-ae1d-ea3d5f0d4f23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344262/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.24084.18657.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6391b70cd4d7598ad904bfef/reports/73286dfe-f2fb-4cbd-abee-19baed0c3860/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f14cbf3-a445-4dad-bcfe-bfcaf5f02671
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130596
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 763320 Sample: Confirmation transfer Ref N... Startdate: 08/12/2022 Architecture: WINDOWS Score: 100 49 www.ramlendingservices.com 2->49 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 9 other signatures 2->63 9 Confirmation transfer Ref No_0033463247892.exe 7 2->9         started        13 eSdygJSxTrIOo.exe 5 2->13         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\eSdygJSxTrIOo.exe, PE32 9->41 dropped 43 C:\...\eSdygJSxTrIOo.exe:Zone.Identifier, ASCII 9->43 dropped 45 C:\Users\user\AppData\Local\...\tmpF816.tmp, XML 9->45 dropped 47 Confirmation trans...33463247892.exe.log, ASCII 9->47 dropped 73 Adds a directory exclusion to Windows Defender 9->73 75 Injects a PE file into a foreign processes 9->75 15 Confirmation transfer Ref No_0033463247892.exe 9->15         started        18 powershell.exe 21 9->18         started        20 schtasks.exe 1 9->20         started        77 Multi AV Scanner detection for dropped file 13->77 79 Machine Learning detection for dropped file 13->79 22 eSdygJSxTrIOo.exe 13->22         started        24 schtasks.exe 1 13->24         started        signatures6 process7 signatures8 83 Modifies the context of a thread in another process (thread injection) 15->83 85 Maps a DLL or memory area into another process 15->85 87 Sample uses process hollowing technique 15->87 89 Queues an APC in another process (thread injection) 15->89 26 explorer.exe 15->26 injected 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 cmstp.exe 22->34         started        36 conhost.exe 24->36         started        process9 dnsIp10 51 recipecity.quest 162.241.123.152, 49698, 80 UNIFIEDLAYER-AS-1US United States 26->51 53 succes-digitalmlm.com 91.216.107.147, 49699, 49700, 49701 RMI-FITECHFR France 26->53 55 2 other IPs or domains 26->55 81 System process connects to network (likely due to code injection or exploit) 26->81 38 mstsc.exe 13 26->38         started        signatures11 process12 signatures13 65 Tries to steal Mail credentials (via file / registry access) 38->65 67 Tries to harvest and steal browser information (history, passwords, etc) 38->67 69 Deletes itself after installation 38->69 71 2 other signatures 38->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 09:42:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjuhjjrwizducqpcskfqstc5yfnb7qxkmehm47fh7fnyb3efnpsq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:q4k5 rat spyware stealer trojan
Link:
https://tria.ge/reports/221208-l43z8sce91/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a96b1c69-67cc-4bdc-a8d1-c5544b71c01b
Unpacked files
SH256 hash:
dc167c51e5b18a4f3082103c883acd0e2731355790b162fa028c464529c6c8fa
MD5 hash:
59206528ecaad5375d547e8a9c2616f6
SHA1 hash:
69fdb679ed8157c39455350c9012831d5c10f682
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2d91a75e-ce5d-468d-b657-1277c52a5104/
Parent samples :
efe299573660e349b6169b099708c6794d5b593095b9a81ac5000a9b18936252
987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5
fa6c3d318b33c9f659b283d02ed355e6c82988ed44d5f7458f043ed6d7997d9b
f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e
SH256 hash:
894053c4ccde8e981818530f3890240aac621a745ded33c058496562181a2cb1
MD5 hash:
987b5b7b10457a0685a2b3e64fa3398c
SHA1 hash:
3be6f7b24b17be260e215e3b80a57d59c8d7e4c6
Link:
https://www.unpac.me/results/2d91a75e-ce5d-468d-b657-1277c52a5104/
SH256 hash:
3ad17b152f9d4e596755bcd9e0641c5fedffcfb19d8633cd87a57387445060c8
MD5 hash:
7c648cfa98a6070536380608de1f6664
SHA1 hash:
ee493a9d7286c1f7931c8b1ab6de01c4bce5ef1b
Link:
https://www.unpac.me/results/2d91a75e-ce5d-468d-b657-1277c52a5104/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/2d91a75e-ce5d-468d-b657-1277c52a5104/
SH256 hash:
4179091a64e8d08653862ca47444162bc26bac32c2dc6496bd6d22717a71c260
MD5 hash:
9c37c18b659ba9b5bd9dadc2c8340069
SHA1 hash:
5a2e8322554ece74b954e27801db06a3c3f4e323
Link:
https://www.unpac.me/results/2d91a75e-ce5d-468d-b657-1277c52a5104/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/2d91a75e-ce5d-468d-b657-1277c52a5104/
SH256 hash:
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5
MD5 hash:
03c738a9106a7ba9bad7f4995d52f028
SHA1 hash:
204762dbb01579ea39295660d86085591578e0a1
Link:
https://www.unpac.me/results/2d91a75e-ce5d-468d-b657-1277c52a5104/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa6874a63646/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344262/

Comments