MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da
SHA3-384 hash: 27003a7aa37eed1b569a2d0dae7f40fbd858230001eb41aa4b09c7e80380f4cafd403d6cf16e2a64742aeb2401613c8c
SHA1 hash: bf19640052f1951a7ff6eb41f9166ca384b070ce
MD5 hash: 1ffed920017a57a543f00f230dedb55c
humanhash: six-cat-pizza-march
File name:file
Download: download sample
Signature Formbook
Create hunting rule
File size:641'536 bytes
First seen:2020-12-18 06:44:11 UTC
Last seen:2020-12-18 08:41:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:rLb6c2+YZ63wA5uhsM9I3+O+rxppNFYVXaJyAVLuevRJflBlSOTYLt:rLbdc0gA0hsM9I3F0IZaxv7/9TY5
Threatray 3'169 similar samples on MalwareBazaar
TLSH 46D4122026BCBF27EABD47F542256A410B79E57E2553F32D0DEB70E612A2F909740D23
Reporter fabjer
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2020-12-18 06:46:28 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/801329c6-9e9d-4573-aab4-705843e45c9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108405/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.4600.24386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a window
Creating a file
Sending a UDP request
Launching a process
Searching for the window
Creating a file in the Windows subdirectories
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565966
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332066 Sample: file Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 10 file.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->28 dropped 52 Writes to foreign memory regions 10->52 54 Allocates memory in foreign processes 10->54 56 Injects a PE file into a foreign processes 10->56 14 RegSvcs.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 2 other signatures 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 autoproductosmercantil.com 192.185.16.203, 49752, 49768, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 hyzykj.net.lv1191.faipod.com 103.72.145.54, 49760, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 17->32 34 20 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 msdt.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 19:49:41 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xysgzd35tudvm75jmgh5vt2wlbyjugtr6llb4czs5coptk6uthna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4
Formbook
1ef127d41d790e02a24cd32fe6908eb42aeae3ab0e65a8291de67fdbf8c6cfa0
Formbook
2bda7325843b48687e064e2abeeef3f5eae5865fceccbbb0ad5229fcf624bf40
Formbook
339505a9dc4fdae3e5a44a6d33230c75d181a8674bead358b8c9012156f4672d
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
Formbook
97b414e4df32b2618618bf61922085e35879a743b6cae758f73747682bdc7b02
Formbook
b6138e4d197c59380c87723cb54c9cf7d5e4600a4273c98723470a57a591edda
Formbook
d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee
Formbook
d9ba192982200a73ca54ce3c9f10c43a185e0d99864eee685bc7ba70c311110a
Formbook
+ 3'159 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201218-pl5wmndy8n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.koku-jieitai.info/w8en/
Unpacked files
SH256 hash:
be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da
MD5 hash:
1ffed920017a57a543f00f230dedb55c
SHA1 hash:
bf19640052f1951a7ff6eb41f9166ca384b070ce
Link:
https://www.unpac.me/results/a19fc6cf-b4b0-4516-9dd5-1dd98d9c4041/
SH256 hash:
3048d9a3abdf8af42513c9d55f807f7bbebd2aaf90d2a37f85f1a6c30331eb80
MD5 hash:
57e70ff8888c597fe6897b80e3a9f43e
SHA1 hash:
9e20d1f662a198e097920f7d6bf778fab4bb5d11
Link:
https://www.unpac.me/results/a19fc6cf-b4b0-4516-9dd5-1dd98d9c4041/
SH256 hash:
e83cef9cfa4e2ea30e28843e43c60ebf8f6590fb753ad0aa5ed1123c01280527
MD5 hash:
bf99ee5fbf42797bd1ade95b109d634c
SHA1 hash:
e02abfdbca94a24a36b47d49a28360b79aabd294
Link:
https://www.unpac.me/results/a19fc6cf-b4b0-4516-9dd5-1dd98d9c4041/
SH256 hash:
3ba918fe2b137f0eb38c5e70bbe80523c5878bc69dbac4afd52c0a6403cd9290
MD5 hash:
19ac6dd3731b222b4b6d0b326e48ae96
SHA1 hash:
06c26263f1410f5fd4ab8f6d2f3c574b50cd197a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a19fc6cf-b4b0-4516-9dd5-1dd98d9c4041/
Parent samples :
d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee
be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da
b4ddceb2e5c7f97a31768c1313b0355e1c1996cb61cf57059758516bbe1fbd3c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 454b93f25bcca014d758bf7d8caac0c615c328bd35fa9be0fc03732dfc7209d9

Formbook

Executable exe be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da

(this sample)

  
Dropped by
SHA256 454b93f25bcca014d758bf7d8caac0c615c328bd35fa9be0fc03732dfc7209d9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/108405/

Comments