MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b550aaa7ad9a87ded94806b7e138ef735a9d2b0f8aa65bea55c57d49ea0d42eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b550aaa7ad9a87ded94806b7e138ef735a9d2b0f8aa65bea55c57d49ea0d42eb
SHA3-384 hash: 97b5ead0d35fd563beff3e5905e3b52753e941cb1cbe6bd51d78486d3338b8f7f3a7e44437b9f5c1e57e3e5b25349f0a
SHA1 hash: 2dd552d0bff95a4bd31c65139574fa3a5b52e97d
MD5 hash: 22e949af44997a62555bd90797ae551c
humanhash: massachusetts-ink-low-vegan
File name:purchase_enquiry_items2335.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:816'128 bytes
First seen:2022-03-07 16:59:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:H7R/I92iNNi1DFksR5nwGAuG7uOMtZlT4xhCaQjmH+UwVuQnS76FLHl:U1MDFkWnO4OoBShCFyeUIuQw0l
Threatray 13'611 similar samples on MalwareBazaar
TLSH T10905BE4835EA5039F83A8BF2CAC0EBF1DB6EE220D4C974B554000E559605BBD8956EFF
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247967/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3e65944-65f9-4fd6-84b5-0548bbbc4537
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951990
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 584471 Sample: purchase_enquiry_items2335.exe Startdate: 07/03/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 6 other signatures 2->36 10 purchase_enquiry_items2335.exe 3 2->10         started        process3 file4 28 C:\...\purchase_enquiry_items2335.exe.log, ASCII 10->28 dropped 46 Tries to detect virtualization through RDTSC time measurements 10->46 48 Injects a PE file into a foreign processes 10->48 14 purchase_enquiry_items2335.exe 10->14         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 17 explorer.exe 14->17 injected process8 process9 19 systray.exe 17->19         started        signatures10 38 Self deletion via cmd delete 19->38 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 22 cmd.exe 1 19->22         started        24 explorer.exe 155 19->24         started        process11 process12 26 conhost.exe 22->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b550aaa7ad9a87ded94806b7e138ef735a9d2b0f8aa65bea55c57d49ea0d42eb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-07 16:11:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wvikvj5ntkd55wkia236cohponnj2kyprktfx2svyv6ut2qnilvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
Formbook
39586764971f496d274f3d453029954720962ed36672050b742aef8b4e68a78e
Formbook
60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f
Formbook
6394de1149bac235402b7a6453331c0585bfcd54d2a31ce7e44b42fb24caf615
Formbook
9655ee4ca1167f87d9245041ab59e861d6b3bdde7897a3b4cb2deee8550bdaaa
Formbook
9e41bc1734c4bc894acdc9c08568cb2f1cd01078fa9b5f30d6f18c6383c22863
Formbook
aea459fb282282fc886f02283b2cfe1da12a6208e14859ffeb7f84a45a452bba
Formbook
dadfe6c54e7000472e145b38e7410fbfef963566a06811ede626705a9e98a53e
Formbook
e745791e3faad64dc3c475e87b458ac60853d5ca429a32b812c6bacbc841ef99
Formbook
ea94995d23d53a98a949a242022cbd9bc5b7a4320c3fb6c045370b15704e4004
Formbook
+ 13'601 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ah8e loader rat
Link:
https://tria.ge/reports/220307-vhz6wsfef4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
c20c6c9ec1049669e0dcf9e3675175a60fcaa65ecde9f51a0d5bc796a9b6f475
MD5 hash:
532791ccce74a42de71f96301e00fbe5
SHA1 hash:
a72e891901ca90b52e4cf6bc6a28aeee45b2bc23
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9462d413-77f6-463b-9cf4-2601ac071a26/
Parent samples :
b550aaa7ad9a87ded94806b7e138ef735a9d2b0f8aa65bea55c57d49ea0d42eb
8085268c9f2053c82abbff7add9efff451f11994a1ae313718cdecf2c693da06
SH256 hash:
b316b38d8c671d29bd3c31e568a45e91848bd0a96ba704041e376dc2a486d3e4
MD5 hash:
c73a7aec895f61a20c64cc9423c9ac2e
SHA1 hash:
f6ad8725213957e96223f42892905054378ee1d1
Link:
https://www.unpac.me/results/9462d413-77f6-463b-9cf4-2601ac071a26/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/9462d413-77f6-463b-9cf4-2601ac071a26/
SH256 hash:
b0b4996dd6a1d51e19d62ccf5a38838f8f32fd5d2f3fa5b0a56223272763151f
MD5 hash:
b982b2a34a9c36958f9f0015d644a037
SHA1 hash:
60d52837548196acfa4ce77dea06026d654cc630
Link:
https://www.unpac.me/results/9462d413-77f6-463b-9cf4-2601ac071a26/
SH256 hash:
b550aaa7ad9a87ded94806b7e138ef735a9d2b0f8aa65bea55c57d49ea0d42eb
MD5 hash:
22e949af44997a62555bd90797ae551c
SHA1 hash:
2dd552d0bff95a4bd31c65139574fa3a5b52e97d
Link:
https://www.unpac.me/results/9462d413-77f6-463b-9cf4-2601ac071a26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b550aaa7ad9a87ded94806b7e138ef735a9d2b0f8aa65bea55c57d49ea0d42eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b550aaa7ad9a87ded94806b7e138ef735a9d2b0f8aa65bea55c57d49ea0d42eb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/247967/

Comments