MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01
SHA3-384 hash: d7040bc0142493f58f12a6b3e9691e12ec9aa2cd1b4c3e30f1dd018e071993ac5b47f72d51342e2a6af32b983885e2c6
SHA1 hash: 75a9bef69eb70ae57d7d8735ece203a97f37950e
MD5 hash: 5bac332642f907ed254f85c6b60fa79d
humanhash: monkey-twenty-whiskey-glucose
File name:ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:243'480 bytes
First seen:2024-09-11 01:29:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:DOmkNEhXdfslyuJPEXyiaKTrz+MJSz19M90U8x:iaXsAu1EXyvUPJS9MGx
Threatray 3'339 similar samples on MalwareBazaar
TLSH T1473412A132948055DCFB5C36C99FC67803B198DBB5C2EE6879C6772D84EB3F1051A88B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter Chainskilabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01.exe
Verdict:
Malicious activity
Analysis date:
2024-09-11 01:31:22 UTC
Tags:
formbook xloader stealer
Link:
https://app.any.run/tasks/6b57fc25-2d24-4754-9f91-5cd3f6e72757

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1268.28124.18688.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e0f29d76bc4542b04962ec
Tags:
Encryption Network Static Stealth Heur
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66e0f29cf3d08fbdb5789481/reports/d0ceea91-ce53-4964-b119-17e62caa2603/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae425ee8-d031-456f-b0b4-2e9a48b4beee
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1509117
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509117 Sample: 5h48M0mr7p.exe Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 31 www.piqevou.xyz 2->31 33 www.czcionki.xyz 2->33 35 28 other IPs or domains 2->35 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 51 8 other signatures 2->51 11 5h48M0mr7p.exe 1 2->11         started        signatures3 49 Performs DNS queries to domains with low reputation 33->49 process4 file5 29 C:\Users\user\AppData\...\5h48M0mr7p.exe.log, CSV 11->29 dropped 63 Writes to foreign memory regions 11->63 65 Allocates memory in foreign processes 11->65 67 Injects a PE file into a foreign processes 11->67 15 cvtres.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 4 other signatures 15->75 18 explorer.exe 79 7 15->18 injected process9 dnsIp10 37 ext-sq.squarespace.com 198.185.159.144, 49714, 80 SQUARESPACEUS United States 18->37 39 www.akcessoires.com 158.176.192.52, 49716, 49722, 49727 SOFTLAYERUS United States 18->39 41 6 other IPs or domains 18->41 53 System process connects to network (likely due to code injection or exploit) 18->53 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 61 Switches to a custom stack to bypass stack traces 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vz2lrspb6vvulj6nasjvu4qnho2cuxsy2jl2mschjse555vvjiaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
Formbook
1d8e5ebbfd116c875add08d4a4b4a37ef0361b28f9e9cbfd0690bc81206338c6
Formbook
60e62d5459b1971893914ca21242c08a31cdc2dcdeed79e92c0b594e43bf8ec5
Formbook
85383a8f1761aba192877153fbca884993d7b54e2673481a1bb78648f58f236e
Formbook
904c33cddf1d9930deaafe80395988a6b61f4acd79e8e29058a6dc00a3de851b
Formbook
9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320
Formbook
ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01
Formbook
b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14
Formbook
d4c465f27047a494b15d0cd45c9506d7e8acafb93d02b2acf601b7b36599d1af
Formbook
+ 3'329 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:tqug discovery loader rat
Link:
https://tria.ge/reports/240911-bwtrgsvfqr/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Xloader payload
Xloader
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e81de44-7c59-4c40-a023-092fed33c876
Unpacked files
SH256 hash:
6fd50c9983f77abf7ac2cb8c2a6f6e0aa1ea34a0832094dcfbba0a7739e9ec12
MD5 hash:
c319fde17ac82c6bbe0fda32146d9900
SHA1 hash:
bf782b7d1d12ae92e80b286fb67e347b6ba67e24
Detections:
XLoader
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_w0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/d8a47dd5-9a59-4bb1-b92d-a20b75a4ff44/
SH256 hash:
8ae8262bd82468ee8acd1957c656d5021b37b0efc562bc75d976c5bd7efd0b71
MD5 hash:
83a18e54b9f0b3aceb72dd95d559bfc4
SHA1 hash:
76405b4c36df2a65fbd78fe2bcbfb9706fd5be9b
Link:
https://www.unpac.me/results/d8a47dd5-9a59-4bb1-b92d-a20b75a4ff44/
SH256 hash:
ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01
MD5 hash:
5bac332642f907ed254f85c6b60fa79d
SHA1 hash:
75a9bef69eb70ae57d7d8735ece203a97f37950e
Link:
https://www.unpac.me/results/d8a47dd5-9a59-4bb1-b92d-a20b75a4ff44/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae74b8c9e1f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments