MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b916a75e098e7693ca3d6b8ba674df813bf42daffa4a404cbd6c1dcc997cdb9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b916a75e098e7693ca3d6b8ba674df813bf42daffa4a404cbd6c1dcc997cdb9d
SHA3-384 hash: 2bcfd0010c77a624472a8ec3b9ecfe4bebdf0396e645f1df8a6afb01f26148e386d56aa6b8a196e53a4133d942867318
SHA1 hash: 58b2fd38577fee82d03c38990e12ca08500b75f7
MD5 hash: 7270b5a7172ce1571a19913b7d1ac43f
humanhash: don-nine-washington-oklahoma
File name:Shipment Document Pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:944'128 bytes
First seen:2021-04-27 08:31:43 UTC
Last seen:2021-04-27 10:13:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:iLAVs/VSgGjkTXFxvGGOiwwll1CC19VoPcedX:aCs/LGwTOTKUCJord
Threatray 5'329 similar samples on MalwareBazaar
TLSH 3815CF3122E89B4AE0BE5739D472020097F0FA17D326DACE6D9554DE2D617C0C6BF7A2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment Document Pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-27 08:41:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d940071e-ab2f-4d83-a61a-218e787b4f22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144491/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.680.24584.26259.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/698771
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 398304 Sample: Shipment Document Pdf.exe Startdate: 27/04/2021 Architecture: WINDOWS Score: 100 34 www.shenghuoquaner.net 2->34 36 www.familybankersecrets.com 2->36 38 familybankersecrets.com 2->38 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 7 other signatures 2->54 11 Shipment Document Pdf.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\...\Shipment Document Pdf.exe.log, ASCII 11->32 dropped 64 Injects a PE file into a foreign processes 11->64 15 Shipment Document Pdf.exe 11->15         started        18 Shipment Document Pdf.exe 11->18         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 20 explorer.exe 15->20 injected process9 dnsIp10 40 outerbodylabs.com 204.11.59.88, 49721, 80 PUBLIC-DOMAIN-REGISTRYUS United States 20->40 42 www.monstergaragemerch.com 104.245.196.24, 49734, 80 L3NETUS United States 20->42 44 8 other IPs or domains 20->44 56 System process connects to network (likely due to code injection or exploit) 20->56 24 colorcpl.exe 12 20->24         started        signatures11 process12 dnsIp13 46 www.appexivo.com 24->46 58 Modifies the context of a thread in another process (thread injection) 24->58 60 Maps a DLL or memory area into another process 24->60 62 Tries to detect virtualization through RDTSC time measurements 24->62 28 cmd.exe 1 24->28         started        signatures14 process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b916a75e098e7693ca3d6b8ba674df813bf42daffa4a404cbd6c1dcc997cdb9d/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-04-27 08:32:13 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xelkoxqjrz3jhsr5nof2m5g7qe57ilnp7jfeatf5nqo4zgl43ooq._file
Verdict:
malicious
Similar samples:
0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811
Formbook
238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b
Formbook
4c84ae992216034d364ea35c6af5ee9c01826688106cf6bdbc32d6fc42584f62
Formbook
5c8301f5ec2ae8cca6eb7aca8cd2578811019bcc261e16fe84f1bf7231676805
Formbook
5cd75052c82b5ff0cc1261075c4fdb060c21062c72525508cbb75e44683f6d0b
Formbook
7c3b5d57b09e814e521d4b325825615285923eb6cf35edc1441c1aa2f0e529e6
Formbook
8f5dfe8e291d0fd6aa44d6b06358b1f571f9c1a6172ca2f82a2db10327d0dee8
Formbook
b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319
Formbook
e5ff1fccc213b922956415d980bbbf9318b17834761d629b23448ab14868812e
Formbook
f3d5563cbcc2253ffa039657b7db3d50c9db4e0e686d83ab9d022e489fea3bb7
Formbook
+ 5'319 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210427-5zml7msfm2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.indiaw99.com/ou59/
Unpacked files
SH256 hash:
11cf5a51e593c007ff4f91294cf505ffd5e425e56387c60d81e6479cc284cc3b
MD5 hash:
73cc3f7e7700e6a54cb5f291dffe5aa1
SHA1 hash:
09174f9fa55c9bac0540efb7a8c682878a32d02d
Link:
https://www.unpac.me/results/5f5bee0b-374e-4bad-9a94-c46ccb862dd7/
SH256 hash:
b916a75e098e7693ca3d6b8ba674df813bf42daffa4a404cbd6c1dcc997cdb9d
MD5 hash:
7270b5a7172ce1571a19913b7d1ac43f
SHA1 hash:
58b2fd38577fee82d03c38990e12ca08500b75f7
Link:
https://www.unpac.me/results/5f5bee0b-374e-4bad-9a94-c46ccb862dd7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b916a75e098e7693ca3d6b8ba674df813bf42daffa4a404cbd6c1dcc997cdb9d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144491/

Comments