MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c758a144ef7bd2ff92ebdf26a2cdca36d6b252bf4eb97d175224d000d66b8e4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c758a144ef7bd2ff92ebdf26a2cdca36d6b252bf4eb97d175224d000d66b8e4e
SHA3-384 hash: 1f6f6d4a5d5f49366e96e6a1fe9d6266dbfb39007e060afefbb029e44b2436d9e4b095a18049ae85ea0ec642f7b74e1d
SHA1 hash: c755bf788ab93d91f6134e0800150516ee1471d1
MD5 hash: b37261611d833b5fff7a35ff65c0b8ea
humanhash: seventeen-beer-berlin-tennessee
File name:PI_2992.xlsx
Download: download sample
Signature Formbook
Create hunting rule
File size:213'384 bytes
First seen:2022-05-10 09:48:23 UTC
Last seen:2022-05-10 14:56:19 UTC
File type:Excel file xlsx
MIME type:application/encrypted
ssdeep 3072:Os+NT0KbKDHIBhrRY6fCUbnRuxEQDNF11pbPsllfWIKw1sNwJDl+Ru9YhcgVbcBj:dhDHCrK6fCUbnRY1L+Lsq+RrShBj
TLSH T1A824122F3E06399EDFF19F31412D890AE235FE016B1644207419F48A87F7A5D48FA99A
Reporter cyberthint
Tags:CVE-2017-11882 CVE-2018-0802 excel FormBook macro ole xloader xlsx


Avatar
cyberthint
We detected on 2022-05-10 date.

Dropped Executable Files:
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\vbc[1].exe (sha256: cd0e5f95d69e940b3f7555489edfe29b2cf27bd2a66ef9019d68c39a4271e9c8)
C:\Users\admin\AppData\Local\Temp\ontkvxymz.exe (sha256: 86b0de8b61e31749f8e8b17f60731928df66fa59072a4ba75410cc19033b6553)

DNS Requests:
dingshicheng.com
ramblingkinkster.com

Connections:
217.160.0.176
185.29.9.18

HTTP Requests:
http://185.29.9.18/2992/vbc.exe
http://www.ramblingkinkster.com/b86g/?PV=bAjICuKTO++ETiss7ncU3GEqPO/C61uAdielS5okOguflAo4cOE5Lsgs4NYURUR+CzNbSQ==&sZQl=pBedbv90RBiDGVF0

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump
Detection: VelvetSweatshop

MalwareBazaar was able to identify 6 sections in this file using oledump:

Section IDSection sizeSection name
164 bytesDataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
2112 bytesDataSpaces/DataSpaceMap
3208 bytesDataSpaces/TransformInfo/StrongEncryptionTransform/Primary
476 bytesDataSpaces/Version
5206728 bytesEncryptedPackage
6224 bytesEncryptionInfo

Intelligence

File Origin
# of uploads :
4
# of downloads :
487
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PI_2992.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-10 09:28:52 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader formbook trojan stealer
Link:
https://app.any.run/tasks/a4c466b4-906c-400b-be58-1e670c476359

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Detection(s):
PUA.Doc.Packed.EncryptedDoc-6563700-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Launching a process
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% directory
Changing an executable file
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Creating a process from a recently created file
Infecting executable files
Unauthorized injection to a system process
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects in Encrypted Excel File
Link:
https://app.docguard.net/c758a144ef7bd2ff92ebdf26a2cdca36d6b252bf4eb97d175224d000d66b8e4e/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe CVE-2018-0802 embedequation exploit shell32.dll shellcode VelvetSweatshop
Link:
https://www.filescan.io/uploads/627a351eb119a5f609b6e85a/reports/f64580f8-2cf7-4504-b438-52b2ccae173c/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c758a144ef7bd2ff92ebdf26a2cdca36d6b252bf4eb97d175224d000d66b8e4e
Details
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990829
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 623325 Sample: PI_2992.xlsx Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 12 other signatures 2->65 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 32 2->16         started        process3 dnsIp4 45 185.29.9.18, 49171, 80 DATACLUB-SE European Union 11->45 39 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 11->39 dropped 41 C:\Users\Public\VBC.exe, PE32 11->41 dropped 87 Office equation editor establishes network connection 11->87 89 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->89 18 VBC.exe 19 11->18         started        43 C:\Users\user\Desktop\~$PI_2992.xlsx, data 16->43 dropped file5 signatures6 process7 file8 37 C:\Users\user\AppData\Local\...\ontkvxymz.exe, PE32 18->37 dropped 67 Multi AV Scanner detection for dropped file 18->67 69 Machine Learning detection for dropped file 18->69 22 ontkvxymz.exe 18->22         started        signatures9 process10 signatures11 71 Multi AV Scanner detection for dropped file 22->71 73 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->73 75 Tries to detect virtualization through RDTSC time measurements 22->75 77 Injects a PE file into a foreign processes 22->77 25 ontkvxymz.exe 22->25         started        process12 signatures13 79 Modifies the context of a thread in another process (thread injection) 25->79 81 Maps a DLL or memory area into another process 25->81 83 Sample uses process hollowing technique 25->83 85 Queues an APC in another process (thread injection) 25->85 28 explorer.exe 25->28 injected process14 dnsIp15 47 www.univerdelacreation.com 213.186.33.5, 49173, 80 OVHFR France 28->47 49 www.touchezixun.com 154.90.64.138, 49172, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 28->49 51 4 other IPs or domains 28->51 91 System process connects to network (likely due to code injection or exploit) 28->91 32 cscript.exe 28->32         started        signatures16 process17 signatures18 53 Modifies the context of a thread in another process (thread injection) 32->53 55 Maps a DLL or memory area into another process 32->55 57 Tries to detect virtualization through RDTSC time measurements 32->57 35 cmd.exe 32->35         started        process19
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c758a144ef7bd2ff92ebdf26a2cdca36d6b252bf4eb97d175224d000d66b8e4e/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 08:12:52 UTC
File Type:
Document
Extracted files:
52
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5mkcrhpppjp7exl34tkftokg3lleuv7j24x2f2setiabvtlrzha._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b86g loader rat suricata
Link:
https://tria.ge/reports/220510-ltbs1agec4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c758a144ef7bd2ff92ebdf26a2cdca36d6b252bf4eb97d175224d000d66b8e4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe cd0e5f95d69e940b3f7555489edfe29b2cf27bd2a66ef9019d68c39a4271e9c8

Formbook

Excel file xlsx c758a144ef7bd2ff92ebdf26a2cdca36d6b252bf4eb97d175224d000d66b8e4e

(this sample)

86b0de8b61e31749f8e8b17f60731928df66fa59072a4ba75410cc19033b6553

anyrun
any.run
https://app.any.run/tasks/a4c466b4-906c-400b-be58-1e670c476359
  
Link
https://www.virustotal.com/gui/file/cd0e5f95d69e940b3f7555489edfe29b2cf27bd2a66ef9019d68c39a4271e9c8/
  
Link
https://www.virustotal.com/gui/file/86b0de8b61e31749f8e8b17f60731928df66fa59072a4ba75410cc19033b6553/
  
Dropped by
SHA256 cd0e5f95d69e940b3f7555489edfe29b2cf27bd2a66ef9019d68c39a4271e9c8
  
Dropping
SHA256 86b0de8b61e31749f8e8b17f60731928df66fa59072a4ba75410cc19033b6553
  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/2188261/
  
Dropped by
MD5 643eead21d07a4bb7c11bb4c7459f898

Comments