MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d
SHA3-384 hash: ac014bfd596a7e3cf6e314d2cccbcdf0fbaf1dd34a439f667ea0d1674ac0124276ae7cc70d10796805cd8dbf3d643abe
SHA1 hash: 5981d5632bb04651059df1b41e954689bc40ef5e
MD5 hash: 48c9b95ed17c2853b0c27ee7f775b34d
humanhash: september-yellow-earth-idaho
File name:48c9b95ed17c2853b0c27ee7f775b34d
Download: download sample
Signature Formbook
Create hunting rule
File size:930'304 bytes
First seen:2022-03-08 12:30:46 UTC
Last seen:2022-03-08 14:42:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:eGqsTHl98c/gBEl99rFktplHdOBB5Z7/KHSSf:eGrzk3lHoX5Z7U
Threatray 13'412 similar samples on MalwareBazaar
TLSH T13715BE10BA61207FE16B8D760BC0AC2399D7F5760206E2AF2C5EC6594FDA57ECD81C72
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248242/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17048.7467.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/622799b7b94fb38cb43fc011/reports/8e7d9b90-5c30-49eb-bb7b-7c608bafcb1e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/493fbe75-a28d-4e11-b8ce-937235b43c63
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952523
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DNS related to crypt mining pools
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585000 Sample: Wb1KvzVSoE Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 31 www.cred1t.one 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 49 8 other signatures 2->49 11 Wb1KvzVSoE.exe 3 2->11         started        signatures3 45 System process connects to network (likely due to code injection or exploit) 31->45 47 DNS related to crypt mining pools 31->47 process4 file5 29 C:\Users\user\AppData\...\Wb1KvzVSoE.exe.log, ASCII 11->29 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 Wb1KvzVSoE.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.yiquge.com 104.143.33.213, 49819, 80 ZNETUS United States 18->33 35 www.ibrnbw.com 18->35 37 2 other IPs or domains 18->37 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Uses ipconfig to lookup or modify the Windows network settings 18->53 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 12:31:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
Formbook
28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
Formbook
31f44a55873cb84506a1213469e0c884eb7f8b4dea91197bedf8a892c1404654
Formbook
39586764971f496d274f3d453029954720962ed36672050b742aef8b4e68a78e
Formbook
510bc545d130a8a3ba0761398b897e7f0840a393d7cd12d98699525e0eb8bfff
Formbook
545d130d10ca2961ab5d1f3072049cea68154c9ed04d6b7fa408f7c81be10c2a
Formbook
9655ee4ca1167f87d9245041ab59e861d6b3bdde7897a3b4cb2deee8550bdaaa
Formbook
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
Formbook
afdf1b728a94beb99d17537a9caa1cad644b86725578ac3fb350cf30c9441e7b
Formbook
c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c
Formbook
+ 13'402 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:pvgu loader rat
Link:
https://tria.ge/reports/220308-pp2qeaegf8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
b5e88368815724d56ca706f838991a04e14c61fcf69c742abb7fe7f0f93702ca
MD5 hash:
251f9c00f89ff7ef071f33286858ccf2
SHA1 hash:
1f863c0a6e532728caf73407a5dda0ee4d7a49b7
Link:
https://www.unpac.me/results/e5c624ad-72a5-4fc0-bb3e-a49ccb585fb0/
SH256 hash:
1cf03d758c705b92219e272c73a4de096c52468bee704f0415711ef624244c93
MD5 hash:
8c2bcb8da74133167b02e999e9679ec0
SHA1 hash:
59fed79806ca178f8bb78a59ce5d5b853da16d22
Link:
https://www.unpac.me/results/e5c624ad-72a5-4fc0-bb3e-a49ccb585fb0/
SH256 hash:
175285bfa8a73b3990f54994b8825c1f3396635bc344939cd8d9fc60b9569b46
MD5 hash:
f26eb90c6addfc99fa0c2e63896216d2
SHA1 hash:
77e01b96d8c211d4d24fc0a1aae91122caf5f668
Link:
https://www.unpac.me/results/e5c624ad-72a5-4fc0-bb3e-a49ccb585fb0/
SH256 hash:
f2fd2a66520f0b0cd24cdbb0c1edafda47f03a1656b7edd5e84245c9a42ae5eb
MD5 hash:
9621f5b5322aa74769639b6104fdc6fc
SHA1 hash:
1501d2300eb134f73a53deaf751a9156fb2d0f87
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e5c624ad-72a5-4fc0-bb3e-a49ccb585fb0/
Parent samples :
c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c
b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d
b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23
SH256 hash:
b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d
MD5 hash:
48c9b95ed17c2853b0c27ee7f775b34d
SHA1 hash:
5981d5632bb04651059df1b41e954689bc40ef5e
Link:
https://www.unpac.me/results/e5c624ad-72a5-4fc0-bb3e-a49ccb585fb0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b55fdab1b973/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2083976/
Cape
Cape
https://www.capesandbox.com/analysis/248242/

Comments


Avatar
zbet commented on 2022-03-08 12:30:49 UTC

url : hxxp://198.23.212.228/saintXL.exe