MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af
SHA3-384 hash: 4775cb28fe69e173660b6884e59c11fc52360813e255ee30ba43fa8e9289d0e7673274faabcb82b3c5c3a709fc3cba5b
SHA1 hash: 0d800c1d6788eaafa5d581b7937315ffaee11bf1
MD5 hash: 1e40c98d3677061af5e7d6737f6ba86f
humanhash: nevada-football-bulldog-low
File name:1e40c98d3677061af5e7d6737f6ba86f
Download: download sample
Signature Formbook
Create hunting rule
File size:1'031'168 bytes
First seen:2022-03-21 10:07:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:uU9RBn6D+762whRENekK6rzmrpc6tWvrIGH6RidZlg2WhEq:ucjm+7Revt4IGHjz
Threatray 10'229 similar samples on MalwareBazaar
TLSH T1BD25239273AB9B36D04AA236A1D69A001FF65BE2B003FBD574C9330D4216B4217497FF
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253505/
Detection(s):
SecuriteInfo.com.generic.ml.5132.13970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62384e970cd58dbd92cdb843/reports/3b7a5ccb-fbce-483d-a994-f0f8a3df59d8/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26b0b4a0-607f-462b-b650-299867ef43e0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960620
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Application Executed Non-Executable Extension
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Yara detected Shellcode strings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593105 Sample: bVEHmOS2ZI Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 17 other signatures 2->52 10 bVEHmOS2ZI.exe 7 2->10         started        process3 file4 38 C:\Users\user\AppData\Roaming\jvPXysCP.exe, PE32 10->38 dropped 40 C:\Users\...\jvPXysCP.exe:Zone.Identifier, ASCII 10->40 dropped 42 C:\Users\user\AppData\Local\...\tmpF8E8.tmp, XML 10->42 dropped 44 C:\Users\user\AppData\...\bVEHmOS2ZI.exe.log, ASCII 10->44 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 10->54 56 Adds a directory exclusion to Windows Defender 10->56 14 RegSvcs.exe 10->14         started        17 RegSvcs.exe 10->17         started        19 powershell.exe 25 10->19         started        21 schtasks.exe 1 10->21         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 23 explorer.exe 14->23 injected 72 Tries to detect virtualization through RDTSC time measurements 17->72 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        process8 process9 29 rundll32.exe 23->29         started        signatures10 58 Modifies the context of a thread in another process (thread injection) 29->58 60 Maps a DLL or memory area into another process 29->60 62 Tries to detect virtualization through RDTSC time measurements 29->62 32 cmd.exe 1 29->32         started        34 explorer.exe 1 153 29->34         started        process11 process12 36 conhost.exe 32->36         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 09:10:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zj357ftoeaxa5k3nhqrib6k7wwno4kfv5hsubpr5ziownrdl6kxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2bb47abc0ec7e4e48aa80d53e19056c6adbef6b1392b3816aa335364325870fb
Formbook
374874898c5386561d60c3fae0482d1caee783f1096dda6742b1c073175a0a14
Formbook
3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489
Formbook
6fb859be1f19ec66d032758b38eade770aedc4f60b2341284ff407647980852b
Formbook
b36891ab4a7fa6be1680a65614dd5551a3fa8a89052c381a954601eedd82e62c
Formbook
c86f3a2110ed2a8498cf30d4ab88cf9ea18edc612835fe2b369e7596dafb802e
Formbook
ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af
Formbook
d89f28603b8948dd7217e42366328a6e9bd05d59e5de67a4c39f207f8a520d43
Formbook
df1510f64189b49ffeb4630c74af81a86888114102b493f52b5ad1c1cb58d121
Formbook
+ 10'219 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:vfm2 loader rat suricata
Link:
https://tria.ge/reports/220321-l58l4sbeam/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
c3ea95ed9e20eb7bc50039ad0221950d40382c9ee6f3294a099a50a206d66634
MD5 hash:
0a6e106bb66c6a4487ee3378557f94ff
SHA1 hash:
6f275ae04cafae72b71aab28118919f474234e8c
Link:
https://www.unpac.me/results/72216c3e-4ade-4977-a352-744d7925816c/
SH256 hash:
4534b4cdcb4401f0b91fd63f2fe71815243c898054c0bcfa5e2706c958cca8c3
MD5 hash:
e70b380c9fbe383bf8dc045742944623
SHA1 hash:
9a3ee7ad2879e76e370d8f6245b4833e48b15d3d
Link:
https://www.unpac.me/results/72216c3e-4ade-4977-a352-744d7925816c/
SH256 hash:
6ff21c090296e9fd3ec2b17e03e184e2396adf4013b2a4f4c9dea5bd7aff38f7
MD5 hash:
7c3fb3e3d91e338ae917c4cb46895e71
SHA1 hash:
ba577b8ccb3c6bbc5e9e3a838aec98859cd4dbaa
Link:
https://www.unpac.me/results/72216c3e-4ade-4977-a352-744d7925816c/
SH256 hash:
aebfe918b516192a6ecdad451f90e8ae597b91d8c650be89363c45d20f5a41cb
MD5 hash:
4c3cfedf5d918c8277075db324ba11de
SHA1 hash:
eca39c0b3ec056a38e9c3a75902a40af9480cf2e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/72216c3e-4ade-4977-a352-744d7925816c/
Parent samples :
4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b
94e8308989d63f75b02e89c5d30e01d9d7dedbf7bb446d3aa6fb83b6e20bcecc
3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf
6e164cb51ca6a0c1c9c27d4d4fece6d970bfe924be2f5766fd2d04bd59fe0d6e
c349c8a20c6576c397a5dff95fb121e7a16dfdd992e08694a4aacf387cf8c3e7
19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f
ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af
SH256 hash:
ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af
MD5 hash:
1e40c98d3677061af5e7d6737f6ba86f
SHA1 hash:
0d800c1d6788eaafa5d581b7937315ffaee11bf1
Link:
https://www.unpac.me/results/72216c3e-4ade-4977-a352-744d7925816c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2108905/
Cape
Cape
https://www.capesandbox.com/analysis/253505/

Comments


Avatar
zbet commented on 2022-03-21 10:07:41 UTC

url : hxxp://107.172.73.140/hmh/bob.exe