MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caebdbf7464e4fd875d5b487a5a0e1399329a59ae747ae86db03401f3991811f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caebdbf7464e4fd875d5b487a5a0e1399329a59ae747ae86db03401f3991811f
SHA3-384 hash: 7344c879de8da024d03b8bd13c4de5ee23826198b99bf8ca1844a58ce0d5ba549b1cda59d51860d73049b5d96b0c8275
SHA1 hash: c8602df2a319a70001996d49e32ad4aede096bcf
MD5 hash: 473869d1f8bcc79d18bfddff824b49f2
humanhash: montana-foxtrot-august-pluto
File name:Bunker inquiry.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:13'824 bytes
First seen:2021-09-09 13:01:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 174469de4f43be3db9bc224ff8a0bf6c (3 x Loki, 1 x NanoCore, 1 x Formbook)
ssdeep 384:S/Hp6kbuppppppppppt6+++++++66G+666+C+++G+++++6+6CqtP+tR++AtRhW+g:SiyTKx36AH
Threatray 9'289 similar samples on MalwareBazaar
TLSH T16E520DD71D95E46AD0A11374A8325295B317B4FA731CA5C3F432A5EBDCE8082FF23986
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bunker inquiry.exe
Verdict:
Malicious activity
Analysis date:
2021-09-09 13:04:32 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/bf0ab100-01b2-4729-b470-c66db9a20bba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186665/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Unauthorized injection to a system process
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1735ffe-1bb9-4d9a-850b-bcebcc58c5ad
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848095
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480536 Sample: Bunker inquiry.exe Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 27 www.mamacita.pro 2->27 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 5 other signatures 2->53 10 Bunker inquiry.exe 14 2->10         started        signatures3 process4 dnsIp5 35 a.uguu.se 144.76.201.136, 443, 49734 HETZNER-ASDE Germany 10->35 55 Maps a DLL or memory area into another process 10->55 14 Bunker inquiry.exe 10->14         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Maps a DLL or memory area into another process 14->59 61 Sample uses process hollowing technique 14->61 63 Queues an APC in another process (thread injection) 14->63 17 chkdsk.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 37 Self deletion via cmd delete 17->37 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Tries to detect virtualization through RDTSC time measurements 17->43 23 cmd.exe 1 17->23         started        29 hendersonmiddle.com 94.237.73.119, 49776, 80 UPCLOUDFI Finland 20->29 31 www.frenchsaucisse.com 23.80.58.244, 49784, 80 LEASEWEB-USA-LAX-11US United States 20->31 33 8 other IPs or domains 20->33 45 System process connects to network (likely due to code injection or exploit) 20->45 signatures11 process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caebdbf7464e4fd875d5b487a5a0e1399329a59ae747ae86db03401f3991811f/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 02:46:40 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlv5x52gjzh5q5ovwsd2lihbhgjstjm245d25bw3anab6omrqepq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26c752e870c67846120eefa974dabdb9ee5b0efd3ddcd45f507aeaa638db2572
Formbook
26cce1d9acb7b8fa82d5179d06aa1a99f70cfc989dbf4d877ea47cebe62cf17b
Formbook
2c5763d9d89f5d97d070891d79c01e1e534a8f626dce226a5b606a9bc999b56d
Formbook
4796e12d5a33b3b717b0ddc65286b9de7479e86bc91cc0bdb843722a5b62951b
Formbook
6f1507120710fd267c7d2b6aa1d63cec192e4eb904675f260a8e2e18ebfc4b99
Formbook
7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa
Formbook
a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Formbook
b55552391ee123f26e577b412c0df78bd0a59644ec510d1e7e708feff12a2abb
Formbook
d80f61a18e120cee699b859e4d84e518e5102357fcad156a000d439590750162
Formbook
dc26789a27709300dcdd742b50b8acb5c4d96d13c0aa5adb69c4f76d8e75c8ba
Formbook
+ 9'279 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rs8u loader rat
Link:
https://tria.ge/reports/210909-p9sm8sgbg3/
Behaviour
Gathers network information
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.andersonfrancomktg.com/rs8u/
Unpacked files
SH256 hash:
caebdbf7464e4fd875d5b487a5a0e1399329a59ae747ae86db03401f3991811f
MD5 hash:
473869d1f8bcc79d18bfddff824b49f2
SHA1 hash:
c8602df2a319a70001996d49e32ad4aede096bcf
Link:
https://www.unpac.me/results/4a9816d2-9304-44ca-bc5b-fbea5b85b299/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/caebdbf7464e4fd875d5b487a5a0e1399329a59ae747ae86db03401f3991811f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186665/

Comments