MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbe7c0318d2f88aff2f18fc19a824bfdebcf2f7137d85adac1a5799afbb6876b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	cbe7c0318d2f88aff2f18fc19a824bfdebcf2f7137d85adac1a5799afbb6876b
SHA3-384 hash:	321c8ff96e230b0536632d6e0e0749e2a807f5fdbe37531f2e4fb0e46948407811dd1efed6dd4acad9b163cda5875bc7
SHA1 hash:	bf288989eec6aa6a6f4bb2696d189d08d268e0db
MD5 hash:	73f4257033c590c868506ed0a0aa7a29
humanhash:	hamper-twenty-beryllium-chicken
File name:	STSGN5512604-pdf..exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'629'184 bytes
First seen:	2021-07-26 06:53:08 UTC
Last seen:	2021-07-26 07:46:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:/IcLW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+hul:wLiecj1a/TEuNQuiNB/e
Threatray	6'885 similar samples on MalwareBazaar
TLSH	T12B75F80C6DDEB26BF65B11BC356C10D85066FC19C708ADB7AE0ABBF67062E95503B087
dhash icon	f0dcf8dcdcd0ccf0 (13 x AgentTesla, 6 x Formbook, 4 x Loki)
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

STSGN5512604-pdf..exe

Verdict:

Suspicious activity

Analysis date:

2021-07-26 06:56:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f29eb62b-2c7d-4988-bd4e-85776cd01f39

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/174069/

Detection(s):

SecuriteInfo.com.Trojan.MSIL.Noon.lc.2299.9739.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8f81e297-ade8-4299-b8f1-4f3e3b05afdb

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821642

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-07-26 02:29:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

7 of 46 (15.22%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zpt4ammnf6ek74xrr7azvasl7xv46l3rg7mfvwwbuv4zv65wq5vq._file

Verdict:

malicious

Label(s):

formbook

Formbook

0e46a3b97231f644213f60744bedab18b175663564f26462a3bc5e07e096edbe

Formbook

257432b5ffbd5ae253f6be351f71f968d407f15e7f5ea78d7b613c7d663eba9c

Formbook

2d644a76259d879c610a408598ddc4b9b69cafd698913a6524e948a5e421f8eb

Formbook

3cec9bd714745b020366af9537184c619794ef4dee36c99093f53b243c97dcc1

Formbook

6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92

Formbook

80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98

Formbook

b55552391ee123f26e577b412c0df78bd0a59644ec510d1e7e708feff12a2abb

Formbook

bd6455c559a9308054622aa9a30388d0ac83dd09af4ce4d1e9a715e2f1baeb53

Formbook

c2f77aaf305ed67feccf0a292e85a872c3d30499aae0311286e55c491f2bd074

Formbook

+ 6'875 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat suricata

Link:

https://tria.ge/reports/210726-yhndterssx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Blocklisted process makes network request

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.desarrollosolucionesnavarro.com/ipa8/

Unpacked files

SH256 hash:

048ff0d4e6b6902b981dfb6295fcaded07fda06e52b3956cfab23d7fa725fe81

MD5 hash:

34be66dabd6d3fe296e5c876add7ce6c

SHA1 hash:

f3fba9c29c21ae916d7fcbec518432a14b38e5ad

Link:

https://www.unpac.me/results/c0e53cc3-5904-4e8e-8c35-0ec9456b6a73/

SH256 hash:

cbe7c0318d2f88aff2f18fc19a824bfdebcf2f7137d85adac1a5799afbb6876b

MD5 hash:

73f4257033c590c868506ed0a0aa7a29

SHA1 hash:

bf288989eec6aa6a6f4bb2696d189d08d268e0db

Link:

https://www.unpac.me/results/c0e53cc3-5904-4e8e-8c35-0ec9456b6a73/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/cbe7c0318d2f88aff2f18fc19a824bfdebcf2f7137d85adac1a5799afbb6876b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.