MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
SHA3-384 hash: adb9d067dac506749b97e17bee13e68be7c4efabbb018f3a428729455cc786ce2c8ae57534b9e37a23bb8230e85e7488
SHA1 hash: 3932f9822134761e7bf9bc1902f8cc28b6820559
MD5 hash: 4e71f90d1817f44313f4e101ef393968
humanhash: pizza-magnesium-artist-xray
File name:Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:721'408 bytes
First seen:2021-05-10 12:16:40 UTC
Last seen:2021-05-10 13:01:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b3ae8f7a807e67f6fac520b10e5dbe8 (6 x RemcosRAT, 2 x Formbook, 2 x AgentTesla)
ssdeep 12288:hrnWDrl98a7LUacm7sbiD97T5QM4Pr4rvU/Oy/6:hrWnZnUivR71B48rvUD/6
Threatray 5'088 similar samples on MalwareBazaar
TLSH 03E48D21B2E14173E16E1E398C5AF37454257F5029F4247A6BF4B908AF3D3E13D292AE
Reporter abuse_ch
Tags:exe FormBook signed

Code Signing Certificate

Organisation:aaaaaaaaaaaaaaD
Issuer:aaaaaaaaaaaaaaD
Algorithm:sha1WithRSA
Valid from:2021-05-09T20:18:49Z
Valid to:2039-12-31T23:59:59Z
Serial number: -7c92f80ff9f67e60b6a60b74ba2e58ba
Thumbprint Algorithm:SHA256
Thumbprint: ac56bb3f62ba8ece00a2a667607c63dfe65689591205e9dec229b407d579043a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153986/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader38.59180.24719.24788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a process with a hidden window
Creating a process from a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779371
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411769 Sample: Citvonvhciktufwvyzyhistnewd... Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 72 www.rest-blog.com 2->72 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 5 other signatures 2->100 12 Citvon.exe 16 2->12         started        16 Citvonvhciktufwvyzyhistnewdjgsoqdr.exe 1 25 2->16         started        19 Citvon.exe 16 2->19         started        signatures3 process4 dnsIp5 74 xhtfga.dm.files.1drv.com 12->74 82 2 other IPs or domains 12->82 122 Multi AV Scanner detection for dropped file 12->122 124 Detected unpacking (changes PE section rights) 12->124 126 Machine Learning detection for dropped file 12->126 21 Citvon.exe 12->21         started        76 192.168.2.1 unknown unknown 16->76 78 xhtfga.dm.files.1drv.com 16->78 84 2 other IPs or domains 16->84 62 C:\Users\Public62etplwiz.exe, PE32+ 16->62 dropped 64 C:\Users\Public64ETUTILS.dll, PE32+ 16->64 dropped 66 C:\Users\Public\Citvon\Citvon.exe, PE32 16->66 dropped 128 Drops PE files to the user root directory 16->128 130 Tries to detect virtualization through RDTSC time measurements 16->130 132 Injects a PE file into a foreign processes 16->132 24 cmd.exe 1 16->24         started        26 Citvonvhciktufwvyzyhistnewdjgsoqdr.exe 16->26         started        80 xhtfga.dm.files.1drv.com 19->80 86 2 other IPs or domains 19->86 28 Citvon.exe 19->28         started        file6 signatures7 process8 signatures9 106 Modifies the context of a thread in another process (thread injection) 21->106 108 Maps a DLL or memory area into another process 21->108 110 Sample uses process hollowing technique 21->110 112 Queues an APC in another process (thread injection) 21->112 30 explorer.exe 21->30 injected 34 cmd.exe 5 24->34         started        37 conhost.exe 24->37         started        process10 dnsIp11 88 www.georgeswebwerks.com 30->88 90 www.thrg33.club 30->90 92 parkingpage.namecheap.com 198.54.117.212, 49779, 80 NAMECHEAP-NETUS United States 30->92 134 System process connects to network (likely due to code injection or exploit) 30->134 39 WWAHost.exe 30->39         started        42 msiexec.exe 30->42         started        44 autoconv.exe 30->44         started        46 autofmt.exe 30->46         started        68 C:\Windows \System3268etplwiz.exe, PE32+ 34->68 dropped 70 C:\Windows \System3270ETUTILS.dll, PE32+ 34->70 dropped 136 Drops executables to the windows directory (C:\Windows) and starts them 34->136 48 Netplwiz.exe 34->48         started        50 conhost.exe 34->50         started        file12 signatures13 process14 signatures15 114 Modifies the context of a thread in another process (thread injection) 39->114 116 Maps a DLL or memory area into another process 39->116 118 Tries to detect virtualization through RDTSC time measurements 39->118 52 cmd.exe 1 48->52         started        process16 signatures17 102 Suspicious powershell command line found 52->102 104 Adds a directory exclusion to Windows Defender 52->104 55 powershell.exe 27 52->55         started        58 conhost.exe 52->58         started        process18 signatures19 120 DLL side loading technique detected 55->120 60 conhost.exe 55->60         started        process20
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 07:36:51 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
31 of 47 (65.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlhcbyuomhftfdnhj74tqiy3dtu2a5ey2r367y7pyxc5hucltxaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
45dfe2786b6ffa7f829870ae624ffdd0276aa8392836cd9514f1f3da04141012
Formbook
48d7ee8524b6c594ee30967ffa0b0c651ff0ea54162aa142e13fcd9c9a577125
Formbook
6657aeabd5ded830361aad9112749d785fc0fbe46121daeb7acb23cd841274ed
Formbook
6c6dd45a923d7eb6fa1f114a5a4c20fab27bc03e44a5c8cb8627d43da93dfe48
Formbook
73542f2e6652897764dfeeffa70ebc1ccebeb5681bc7a049ec875771c995aa4a
Formbook
8855c73a66320b1d62c22f7af62feb301d13e4b68f4edfba64bf47473ad58c4a
Formbook
8d0c96f1776267d62dff665af9687e0a5bb0fa35d9bd151c8871114d797020f1
Formbook
b8392aaf409d89fe323576fdf09bf3320094962da9812918d23bb47b3d8d53f8
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
+ 5'078 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader persistence rat
Link:
https://tria.ge/reports/210510-dsm2rxmhvs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.clinics.life/qku9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153986/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-10 13:57:44 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0051] File System Micro-objective::Read File
8) [C0052] File System Micro-objective::Writes File
9) [C0007] Memory Micro-objective::Allocate Memory
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
12) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
13) [C0038] Process Micro-objective::Create Thread
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process