MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca7655af1ba5f1a9a8886bb63aa6c2860e433f099aebb9b61ec04717711144f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca7655af1ba5f1a9a8886bb63aa6c2860e433f099aebb9b61ec04717711144f2
SHA3-384 hash: 3e5cff73c4418d8479e5bcb297ea538be96d9ba94361bbb8dd91be3e1e47ea2c6bb9c17c6b0e447bf5b914ee3d139cd6
SHA1 hash: 0acd3ea0bd3c4736f1d3ebe20427c393d4dc9660
MD5 hash: 2460400bcab21bd98de65ab17d7aff4b
humanhash: nuts-charlie-angel-hamper
File name:57Hug3.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:715'264 bytes
First seen:2021-06-18 20:52:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:HXrHI2iNuFBkGmm6HUwu3OAzteob9qGqs4hxgyKg5Jmldx+YhnR1C6c1pv4ONL4B:jI1IFiGmm6HhoZqGqth1d5ox+YhTcT09
Threatray 5'839 similar samples on MalwareBazaar
TLSH 3BE4CF2439FA6519F177AF7A5AE474C6DAEEFA633703D41928A0038B0723F41CD9153A
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
57Hug3.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-18 20:54:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d570b6b6-f28f-4be9-ae5f-f6c5d12483a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166917/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72ec4b57-3300-44f4-ab37-762591061fb7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804566
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 436977 Sample: 57Hug3.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 27 www.mountainriveroutdoor.com 2->27 29 www.globalrobot.xyz 2->29 31 2 other IPs or domains 2->31 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 9 57Hug3.exe 3 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 25 C:\Users\user\AppData\...\57Hug3.exe.log, ASCII 9->25 dropped 57 Tries to detect virtualization through RDTSC time measurements 9->57 59 Injects a PE file into a foreign processes 9->59 16 57Hug3.exe 9->16         started        33 karevolutions.com 74.220.219.210, 49733, 80 UNIFIEDLAYER-AS-1US United States 13->33 35 www.nakahara-shoukai.com 120.136.14.25, 49746, 80 SAKURA-CSAKURAInternetIncJP Japan 13->35 37 12 other IPs or domains 13->37 61 System process connects to network (likely due to code injection or exploit) 13->61 19 WWAHost.exe 13->19         started        file6 signatures7 process8 signatures9 39 Modifies the context of a thread in another process (thread injection) 16->39 41 Maps a DLL or memory area into another process 16->41 43 Sample uses process hollowing technique 16->43 45 Queues an APC in another process (thread injection) 16->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 21 cmd.exe 1 19->21         started        process10 process11 23 conhost.exe 21->23         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ca7655af1ba5f1a9a8886bb63aa6c2860e433f099aebb9b61ec04717711144f2/
Threat name:
ByteCode-MSIL.Trojan.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 05:37:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 46 (60.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zj3flly3uxy2tkeino3dvjwcqyhegpyjtlv3tnq6ybdro4iritza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14854d1ce96dcc9795941ec7248f8d2481d5649cdeecaccbfe840f259bc50bde
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
5e1f329763e009d5904cf7ec8aff6e796dfc6de880b0d4ca0dfdc5d2518528b7
Formbook
6c6dd45a923d7eb6fa1f114a5a4c20fab27bc03e44a5c8cb8627d43da93dfe48
Formbook
7531be8656ccc4c8d8cfac7b13b06f3ed9b533274c71f393712ab1c9b81716fc
Formbook
9171cd06885b2fba3cd37d0b3651c90dc787d6f2e432e4a1b13defb0efb36df6
Formbook
9ecedea13dc027095e79edab82e3988f028dfda3ea5b5469351a52a82a60ff7f
Formbook
aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
f782375e80f3a68b36457886ac1c6490e2497e6c9fb3ffdb33c1679597f0770e
Formbook
+ 5'829 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210618-a8aq46dwx2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.nakahara-shoukai.com/i3vu/
Unpacked files
SH256 hash:
92ae1b933de3b46a0208ef75f65699716926fa0cea1afd74fc424b8afde249ce
MD5 hash:
0f5baeb5436502a670de5e6b88984ff3
SHA1 hash:
e3b11d344778b0de8e8e9261e519119c0872839e
Link:
https://www.unpac.me/results/8f3fddfa-02a8-441b-9453-a1b4f5863485/
SH256 hash:
ca7655af1ba5f1a9a8886bb63aa6c2860e433f099aebb9b61ec04717711144f2
MD5 hash:
2460400bcab21bd98de65ab17d7aff4b
SHA1 hash:
0acd3ea0bd3c4736f1d3ebe20427c393d4dc9660
Link:
https://www.unpac.me/results/8f3fddfa-02a8-441b-9453-a1b4f5863485/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ca7655af1ba5f1a9a8886bb63aa6c2860e433f099aebb9b61ec04717711144f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/166917/

Comments