MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e9060288c5c28d0fb5ba1c91b5c507e15011a063009da3e382ad6b90b09790. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1e9060288c5c28d0fb5ba1c91b5c507e15011a063009da3e382ad6b90b09790
SHA3-384 hash: 47f04fe4bcf5ca7c54f1edc3f1f7ef00aaee410c524395b4bcfa36cdcc02fc5e44cfa6b58a5360abe11d8d65a5bf0185
SHA1 hash: 36ad032ed59d28564fc2d6f3840d0e74d4f9cd0c
MD5 hash: 0b72c636a166a3bfd713d056971eec02
humanhash: hot-wyoming-high-magnesium
File name:vbc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:808'448 bytes
First seen:2021-09-20 13:14:42 UTC
Last seen:2021-09-20 14:25:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:K5MTdQJ8WsmtiK5oyZbXnchk9R45FgVUgmF5DrL8BDm/Gmz0eKofqSt:g6+Fo6Xnb92TqnMGmoJAft
Threatray 6'109 similar samples on MalwareBazaar
TLSH T110059DC17D47D89BF4DF2AF3986FC12011656E9D9161C73D26827A2B65F330230ABA4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 13:18:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bab2421e-8bd9-4f64-a249-9f5139a7cd7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189454/
Detection(s):
SecuriteInfo.com.Artemis0B72C636A166.14597.3713.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8dca4d2c-d6a3-4b9d-809d-53b589aee504
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854058
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486491 Sample: vbc.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 6 other signatures 2->42 10 vbc.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 10->28 dropped 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 vbc.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.tzhxxl.com 156.234.138.10, 49780, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 17->30 32 www.riothmobile.quest 37.123.118.150, 49782, 80 UK2NET-ASGB United Kingdom 17->32 34 9 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Uses netsh to modify the Windows network and firewall settings 17->46 21 netsh.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1e9060288c5c28d0fb5ba1c91b5c507e15011a063009da3e382ad6b90b09790/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 10:02:30 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156
Formbook
1d4caa0b975ecf0bcb2cc854e5704a7a47d97aac648e0b3634143354c98aacb9
Formbook
36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf
Formbook
37a8922f49037f65771bc1e4ab9d7fbb4b1c27ce2bc79fe618705f4d90ad7615
Formbook
6071e97eb6bbb48aea3c96d06190166daf16ecff8dcbc0481cf44e2c8ef84a30
Formbook
687b91a38a011ab52837bde98b31b5b2efb06151a8ae940c03096cd9fe87e9da
Formbook
7b8353f603a3cbc9e87b5845409c451fc624d6757cdb93255e5fa4bec5737b21
Formbook
e4c51cfe125602ab5cd33e751d121395c59599055a8294a5234c37a399ddf582
Formbook
eb71f32d26de060a63615acc43153a83f87570e0edb43bc4e7b47caf45c34eee
Formbook
f3238da427c80f842f5b4a789726005ac06157181d80a32105aa639b325d0330
Formbook
+ 6'099 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n90q loader rat suricata
Link:
https://tria.ge/reports/210920-qhah1sghej/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Uses the VBS compiler for execution
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.adorotudoisso.club/n90q/
Unpacked files
SH256 hash:
6250ec5b8677b88a85a44abd8d01220741e7f13b99dfc9ffbe7a3052227b2669
MD5 hash:
479e8db0155831cc628f4cfa1aa238ac
SHA1 hash:
c9fff7b141828936ede6a01b8e3b2c6f18c45194
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a243ac3b-5214-42f4-9485-eb9e71e6782a/
Parent samples :
b1e9060288c5c28d0fb5ba1c91b5c507e15011a063009da3e382ad6b90b09790
be2ed31f85df8e65c76d1fd87ceb62a6381c0c5244eca15349bb0976052c2695
da641202fb53638f3aad2bda8a87d215855cf03aa658637e3dd70dbe5c3c47fd
699ac8f16c67cda47a80657cce69cbb8b42d711a9e4609ad6a8ff2ed84119b01
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/a243ac3b-5214-42f4-9485-eb9e71e6782a/
SH256 hash:
57a90873f918f83b2bf572eb0d2e9cf9d2f1c9de54602a77f5abb231992cdc90
MD5 hash:
05a96abbcff60c6f37804c37e8228332
SHA1 hash:
a91b7341adc9b26d2fcf68207d25971fd012a645
Link:
https://www.unpac.me/results/a243ac3b-5214-42f4-9485-eb9e71e6782a/
SH256 hash:
1280ba9e34f29cc4411771cd04f0532353b9dea2cbd3e94ab88c96bc05a5cd54
MD5 hash:
47baa825303c2919cf368363e7068af1
SHA1 hash:
1b4dc03ea5decb0e2780cc4eb255495f9662e344
Link:
https://www.unpac.me/results/a243ac3b-5214-42f4-9485-eb9e71e6782a/
SH256 hash:
b1e9060288c5c28d0fb5ba1c91b5c507e15011a063009da3e382ad6b90b09790
MD5 hash:
0b72c636a166a3bfd713d056971eec02
SHA1 hash:
36ad032ed59d28564fc2d6f3840d0e74d4f9cd0c
Link:
https://www.unpac.me/results/a243ac3b-5214-42f4-9485-eb9e71e6782a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1e9060288c5c28d0fb5ba1c91b5c507e15011a063009da3e382ad6b90b09790

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/189454/
  
URLhaus
https://urlhaus.abuse.ch/url/1636058/

Comments