MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be2d5feff0e6129b41979d8f15047d4dbebfc994ef7e71214324a1f412e4474e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be2d5feff0e6129b41979d8f15047d4dbebfc994ef7e71214324a1f412e4474e
SHA3-384 hash: 23aee6e3213e9b429a1b6ce6202cb3360cf5f3ad2a702e10365a526906b9a392ab289e41e88523ea88ea73cb46856256
SHA1 hash: 3f0dece659b5ecff0e0e787de7dd9ebd04e61fce
MD5 hash: 3d4add41bec8d4e426e67145da1ce829
humanhash: romeo-uncle-nitrogen-sodium
File name:PURCHASE ORDER _PDF______________________________...EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:819'712 bytes
First seen:2022-02-09 16:01:14 UTC
Last seen:2022-02-10 20:53:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:eyPW2ZMT16xpPicDZp//vkbnUHMQJVm7c2hJMb3MQLXZsqY2+Sea9:NaShJt/v2UsQJVmwgyb7ZspGea9
Threatray 13'205 similar samples on MalwareBazaar
TLSH T12405BD2F097E223AC5BCDB715984CE1FB592CD963537981D29963AD916327F230C222F
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239697/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.25375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6203e5859c257bc16263c4b6/reports/a3fe5f0a-f279-4def-801e-0cfc78e840f7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e226cb9-ef6d-4a04-96d8-6fd02e024b53
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937021
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 569499 Sample: PURCHASE ORDER  _PDF_______... Startdate: 09/02/2022 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 16 other signatures 2->56 9 PURCHASE ORDER  _PDF______________________________...EXE 7 2->9         started        process3 file4 36 C:\Users\user\AppData\Roaming\rCxSOJj.exe, PE32 9->36 dropped 38 C:\Users\user\...\rCxSOJj.exe:Zone.Identifier, ASCII 9->38 dropped 40 C:\Users\user\AppData\Local\...\tmp8257.tmp, XML 9->40 dropped 42 PURCHASE ORDER  _P..._________...EXE.log, ASCII 9->42 dropped 68 Adds a directory exclusion to Windows Defender 9->68 70 Injects a PE file into a foreign processes 9->70 13 PURCHASE ORDER  _PDF______________________________...EXE 9->13         started        16 powershell.exe 21 9->16         started        18 schtasks.exe 1 9->18         started        signatures5 process6 signatures7 72 Modifies the context of a thread in another process (thread injection) 13->72 74 Maps a DLL or memory area into another process 13->74 76 Sample uses process hollowing technique 13->76 78 Queues an APC in another process (thread injection) 13->78 20 cmd.exe 13->20         started        23 explorer.exe 13->23 injected 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        process8 dnsIp9 58 Self deletion via cmd delete 20->58 60 Modifies the context of a thread in another process (thread injection) 20->60 62 Maps a DLL or memory area into another process 20->62 64 Tries to detect virtualization through RDTSC time measurements 20->64 30 cmd.exe 1 20->30         started        44 name.shoplazza.store 104.18.128.14, 49847, 80 CLOUDFLARENETUS United States 23->44 46 www.wordlunch.com 23->46 48 4 other IPs or domains 23->48 66 System process connects to network (likely due to code injection or exploit) 23->66 32 autoconv.exe 23->32         started        signatures10 process11 process12 34 conhost.exe 30->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be2d5feff0e6129b41979d8f15047d4dbebfc994ef7e71214324a1f412e4474e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 16:02:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xywv737q4yjjwqmxtwhrkbd5jw7l7smu557hcikdesq7iexei5ha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ab19b205a91984c1143c4583130c911131d1606a2f7e38ea91c9c1860cbd14b
Formbook
4f4b5ae0f0189074748699df099160023d7b54c5f078d8ae449066bb94479811
Formbook
7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36
Formbook
c68187b173ad6e5f68910e7e23137e30c348192f861ef27e45bf82c0bc8663e8
Formbook
caf586c9d78e7b0adc9d91286228eba817463d60b912651f2aa43288441d4d48
Formbook
e8e0f125d909bafae93f469222f2cfbcb30585e03825d8442c8934a92fdd6c89
Formbook
efc056b28454aeb8274bbeef16c7c21bb1d4aabd18e06e36627407612d7c6a16
Formbook
ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628
Formbook
+ 13'195 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ihg0 loader rat
Link:
https://tria.ge/reports/220209-tgsvraaha9/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Xloader Payload
Xloader
Unpacked files
SH256 hash:
811078381800166dbbc5fd38d26c3bef261557c73ff977602a2248287073df3f
MD5 hash:
f33cef1ae2de76a7e317e95f89b1c75c
SHA1 hash:
eb42461f6bc3be8d61f900d96ef01d25aef7207b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4e1dcc98-5a30-45a8-af19-a0bfba999c0d/
Parent samples :
d750b5eb0bd3c9b24c2505c127c2a1ab78fd3385a2157083fcabdbba45bef7ba
db93a8cf5c8b72db62392b79b6d89f329801525af7a07e920505068922d00cc3
be2d5feff0e6129b41979d8f15047d4dbebfc994ef7e71214324a1f412e4474e
4c5764d95bdd80b5c98ce78df8684af248550c535adafae13b92b3b79125b871
42cce80e3e20528953d3472513918fa7e3061f68ba6153dfbe7db82cce6df46f
d647a2e8ff08785b542bd885e62aed69fd43ea2dd801f5144bd990ec8719f3ed
3fd7b914185575863f75d5ac1950236aa9cb4aece2fce6ef2a5cdfecdb0860fc
1e8978d9e298c1f7dfc988a4b218badd93df889eab03388033a1683f5b495f10
f7c444ed90a2592c2bff60a8bfd2dc26e285aa49b6df89ec62e8adc25d98abeb
da1950706431dfa31c66d1d99d2bc15bcb02600fecea4fab7c17f97af173cb7c
620376e4bbb28e2ff3c82427767153500ed1c55b8c20c565084940514b33bc9d
7b4b92d6eefbcabd5c2af244e8f048e5d11d1cc2f0c967ff244457aae3844adb
9484b37af380c8c86dbd8234b60e7420e498671548359ca9393ed0402d9dbd80
SH256 hash:
1f7a72cc288fbcaf67f568f5cde3bdfdc403c5d918111cfd067367eee460bab4
MD5 hash:
e69840c8a17f29ee4788048a03663af5
SHA1 hash:
a9b2aef6ea30d7574e21b856e066d94e7832e0e0
Link:
https://www.unpac.me/results/4e1dcc98-5a30-45a8-af19-a0bfba999c0d/
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/4e1dcc98-5a30-45a8-af19-a0bfba999c0d/
SH256 hash:
be2d5feff0e6129b41979d8f15047d4dbebfc994ef7e71214324a1f412e4474e
MD5 hash:
3d4add41bec8d4e426e67145da1ce829
SHA1 hash:
3f0dece659b5ecff0e0e787de7dd9ebd04e61fce
Link:
https://www.unpac.me/results/4e1dcc98-5a30-45a8-af19-a0bfba999c0d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/be2d5feff0e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 4e576807e0abe2998a83843c8c83687645a027b89b5b0ba56aec114d7d01ccae

Formbook

Executable exe be2d5feff0e6129b41979d8f15047d4dbebfc994ef7e71214324a1f412e4474e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4e576807e0abe2998a83843c8c83687645a027b89b5b0ba56aec114d7d01ccae
Cape
Cape
https://www.capesandbox.com/analysis/239697/

Comments