MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a
SHA3-384 hash: 391274f405d50f900ab99e2f63fd4bf770b3b1b098c4bc0a653861d1a3653faf9d8d2954ca6f72282de7e347a1bac8d9
SHA1 hash: 1f4aa8b7878e19c26e11a9001021975f5c2adca0
MD5 hash: 8e71e9516683fb3becd0c6cdf5a9fa64
humanhash: kitten-papa-speaker-river
File name:8e71e9516683fb3becd0c6cdf5a9fa64
Download: download sample
Signature Formbook
Create hunting rule
File size:429'568 bytes
First seen:2021-08-10 17:51:00 UTC
Last seen:2021-08-10 19:01:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:AH3sPiRmMzP7J55msJ/yU43aOBxijnKtpqRRrrOXpr:Y31mMRXh/yxqOBkj4qRRr6XJ
Threatray 7'708 similar samples on MalwareBazaar
TLSH T1CE9423526861AF81CA7B02F294D71EB105B2FD67E222E58902D65EBCB3CF94971700E6
dhash icon 0020149968040000 (3 x Formbook, 2 x a310Logger)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8e71e9516683fb3becd0c6cdf5a9fa64
Verdict:
Malicious activity
Analysis date:
2021-08-10 17:51:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7bd9e03b-a137-4ae8-8346-9c55ea7085ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178043/
Detection(s):
SecuriteInfo.com.Trojan00577e181.4894.22192.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbac982c-9f5c-4b69-ad38-48c546b7fbc5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830433
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462864 Sample: dGgZGZYFel Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 118 www.thebbchallenge.com 2->118 120 www.cxdnl.com 2->120 122 2 other IPs or domains 2->122 128 Malicious sample detected (through community Yara rule) 2->128 130 Multi AV Scanner detection for dropped file 2->130 132 Multi AV Scanner detection for submitted file 2->132 134 5 other signatures 2->134 12 dGgZGZYFel.exe 1 9 2->12         started        signatures3 process4 file5 82 C:\Users\user\AppData\Roaming\...\paint.exe, PE32 12->82 dropped 84 C:\Users\user\AppData\...\dGgZGZYFel.exe, PE32 12->84 dropped 86 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 12->86 dropped 88 2 other malicious files 12->88 dropped 162 Writes to foreign memory regions 12->162 164 Uses powershell Test-Connection to delay payload execution; 12->164 166 Injects a PE file into a foreign processes 12->166 16 dGgZGZYFel.exe 1 5 12->16         started        21 powershell.exe 18 12->21         started        23 powershell.exe 20 12->23         started        signatures6 process7 dnsIp8 94 192.168.2.1 unknown unknown 16->94 74 C:\Users\user\AppData\...\FB_8C85.tmp.exe, PE32 16->74 dropped 76 C:\Users\user\AppData\...\FB_7E0D.tmp.exe, PE32 16->76 dropped 124 Multi AV Scanner detection for dropped file 16->124 126 Machine Learning detection for dropped file 16->126 25 FB_8C85.tmp.exe 16->25         started        28 FB_7E0D.tmp.exe 16->28         started        96 dns.google 21->96 98 8.8.8.8.in-addr.arpa 21->98 30 conhost.exe 21->30         started        100 dns.google 23->100 102 8.8.8.8.in-addr.arpa 23->102 32 conhost.exe 23->32         started        file9 signatures10 process11 signatures12 148 Antivirus detection for dropped file 25->148 150 Machine Learning detection for dropped file 25->150 152 Modifies the context of a thread in another process (thread injection) 25->152 154 4 other signatures 25->154 34 explorer.exe 2 25->34 injected process13 process14 36 paint.exe 6 34->36         started        40 WWAHost.exe 34->40         started        42 paint.exe 34->42         started        file15 78 C:\Users\user\AppData\Local\Temp\paint.exe, PE32 36->78 dropped 80 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 36->80 dropped 136 Writes to foreign memory regions 36->136 138 Uses powershell Test-Connection to delay payload execution; 36->138 140 Injects a PE file into a foreign processes 36->140 44 paint.exe 36->44         started        48 powershell.exe 36->48         started        51 powershell.exe 36->51         started        142 Modifies the context of a thread in another process (thread injection) 40->142 144 Maps a DLL or memory area into another process 40->144 146 Tries to detect virtualization through RDTSC time measurements 40->146 53 cmd.exe 40->53         started        55 powershell.exe 42->55         started        57 powershell.exe 42->57         started        signatures16 process17 dnsIp18 90 C:\Users\user\AppData\...\FB_9059.tmp.exe, PE32 44->90 dropped 92 C:\Users\user\AppData\...\FB_82DB.tmp.exe, PE32 44->92 dropped 168 Multi AV Scanner detection for dropped file 44->168 170 Machine Learning detection for dropped file 44->170 59 FB_9059.tmp.exe 44->59         started        62 FB_82DB.tmp.exe 44->62         started        104 dns.google 48->104 106 8.8.8.8.in-addr.arpa 48->106 64 conhost.exe 48->64         started        108 dns.google 51->108 110 8.8.8.8.in-addr.arpa 51->110 66 conhost.exe 51->66         started        68 conhost.exe 53->68         started        112 dns.google 55->112 114 8.8.8.8.in-addr.arpa 55->114 70 conhost.exe 55->70         started        116 2 other IPs or domains 57->116 72 conhost.exe 57->72         started        file19 signatures20 process21 signatures22 156 Antivirus detection for dropped file 59->156 158 Machine Learning detection for dropped file 59->158 160 Tries to detect virtualization through RDTSC time measurements 59->160
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 17:51:04 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vx6bgexnbaf42p77oibgt46fis27gmmuvs3r6nvshe6yl3xnynfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01476f904e668758ea516e84f359d6d0a4d85dadc179a51788a214ea46ff9dec
Formbook
1432f0240c91b7439722df807e35ef9b4cc9b126f3e5d42cedb27b28751118d7
Formbook
1a912965cb32d547e15282d11d1251c5fd89a5d2714a198ca26c2ad8597865bb
Formbook
397fd95899f186c1385818c6b996f4cb410e266a84b2c134104d01675a822e27
Formbook
5397f0168be76c7e5efee936d341eb359b9015af5e77631129dc0664105e9259
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
b0762ca49381026932f488d2a816a18639c410ba45f456014861ac66b9b3f4e6
Formbook
ce399cb6f48a7daf6fd1ce9ffc9a0fe086d101fac2c11a1a636e1932d3303c90
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
f45a023c86d834183f3073c05227d6f40686aef4a71b3893b823be493d7aae83
Formbook
+ 7'698 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ur5u loader persistence rat suricata
Link:
https://tria.ge/reports/210810-5hbqt9nafx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.cover-kart.com/ur5u/
Unpacked files
SH256 hash:
0d93d01cc27f66596162b0ed1c1e7789e75d3fd7f4c0fcb413076af602bd7d3f
MD5 hash:
f5b97c28340989aa662ec4d0412a3082
SHA1 hash:
57057c02f5df0f5b7f3fba39805c423856c90551
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8cbd025f-46a7-4f00-a215-8157ff60c4b1/
SH256 hash:
5dbc91fc6a91a24e8b7ca0a52b1172198862f6713500f65c0a1674b7666eb4fd
MD5 hash:
4e97fb06dc1eaf78f857d8b77eb5b42b
SHA1 hash:
485d618fe5c0576fe63849d1868aae52ea5f7c2a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8cbd025f-46a7-4f00-a215-8157ff60c4b1/
SH256 hash:
fd95d0e618ba274a5e5678321fe70a229952ba86a027a6522db2215314245eda
MD5 hash:
90d4b06daba81e035191e66915ef9df0
SHA1 hash:
f3dd804f79e1ed37c060e356669a1a7ea77d136b
Link:
https://www.unpac.me/results/8cbd025f-46a7-4f00-a215-8157ff60c4b1/
SH256 hash:
b696bcb65d8bd890f9db6622bb7c3c4ff0234c033043c19ac1149d13e9da430b
MD5 hash:
c7ce55dfb6f48693f16b3736647b0435
SHA1 hash:
815b4bd43a45d6234e6694fd74aefeed190f94c1
Link:
https://www.unpac.me/results/8cbd025f-46a7-4f00-a215-8157ff60c4b1/
SH256 hash:
bd309fe01856dfa7a226dd3e0918768be403dda05d2a6e977a0a6c2da7680b12
MD5 hash:
246cd983f029be0e0a81dba17c4c878b
SHA1 hash:
60609ba5e8703399f32ca61f71879cffba88ff7e
Link:
https://www.unpac.me/results/8cbd025f-46a7-4f00-a215-8157ff60c4b1/
SH256 hash:
adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a
MD5 hash:
8e71e9516683fb3becd0c6cdf5a9fa64
SHA1 hash:
1f4aa8b7878e19c26e11a9001021975f5c2adca0
Link:
https://www.unpac.me/results/8cbd025f-46a7-4f00-a215-8157ff60c4b1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/adfc1312ed08/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1522712/
Cape
Cape
https://www.capesandbox.com/analysis/178043/

Comments


Avatar
zbet commented on 2021-08-10 17:51:01 UTC

url : hxxp://auto-house.info/cgt/wwh.exe