MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cda350f17f9da84bd3c76f325656630c4724eeaa08949d9d99941859bf8f0315. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cda350f17f9da84bd3c76f325656630c4724eeaa08949d9d99941859bf8f0315
SHA3-384 hash: 84e1ffd19a403ca9b46ab8c2e4769952dc8ed8976a45468c3d70268691a7702c6f4a3fd92c920349a12583fd4dc87099
SHA1 hash: c9121ba150a388a93078a5e5f51a9d46234ff418
MD5 hash: 5ae74ac0fe21a6a624f680a5d9ea7959
humanhash: solar-chicken-robin-jig
File name:aeMGQio1TJuPBzR.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:681'472 bytes
First seen:2023-09-04 14:04:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:2dfSRtdn2lq3PaiXoJT7VXktGsBb9x+2OvPk0EGHkRk6jpM:2wn2lq3yiaTxktGst9S2GHkRpjp
Threatray 3'678 similar samples on MalwareBazaar
TLSH T17FE40113BE26BFBAD17797FA7C2455020762ED1EA640D3458ECBB1E25C31B024479E2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
aeMGQio1TJuPBzR.exe
Verdict:
Malicious activity
Analysis date:
2023-09-04 14:06:33 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/29f4bb36-dd9d-49f9-9433-d6735d29f5ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446092/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64f5e40f2a262962b792d773/reports/a9bc711e-4042-44c9-85b2-edf04ec760f3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cda350f17f9da84bd3c76f325656630c4724eeaa08949d9d99941859bf8f0315
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3140e25f-299a-4d30-bb13-fe011540c3d1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303006
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303006 Sample: aeMGQio1TJuPBzR.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 10 aeMGQio1TJuPBzR.exe 3 2->10         started        process3 signatures4 53 Tries to detect virtualization through RDTSC time measurements 10->53 13 aeMGQio1TJuPBzR.exe 10->13         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 7 6 13->16 injected process7 dnsIp8 29 www.loanslatvia.today 188.114.97.7, 49725, 80 CLOUDFLARENETUS European Union 16->29 31 www.waijaihome.com 16->31 33 4 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 37 Uses ipconfig to lookup or modify the Windows network settings 16->37 20 ipconfig.exe 16->20         started        23 autofmt.exe 16->23         started        signatures9 process10 signatures11 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49 51 Tries to detect virtualization through RDTSC time measurements 20->51 25 cmd.exe 1 20->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cda350f17f9da84bd3c76f325656630c4724eeaa08949d9d99941859bf8f0315/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 12:26:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwrvb4l7twuexu6hn4zfmvtdbrdsj3vkbckj3hmzsqmftp4pamkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
2016dcdb738fdd4dbcc09bad9e63604259b3b43ff2df2c9a5fc8d26d0cf6ca4c
Formbook
42dc8c1b59e676d065485a22fb11939ad1eac5114d0aba1e841cc404ebc08305
Formbook
43440434172d5730884fa5f0ae4f7ae73c4815e74618d18bc405d18dd325fed4
Formbook
4a85949b7ffe19e22e4191b55b225cb3ac8b59246785144f585006b94e9ba574
Formbook
7e5a4a969f8e5439adceca4bc465664de6f891baf774f5d472cced75a52c5b5d
Formbook
813edf2d24ed87e7182a05b6c7ae8acaee063fe5ff270b82d20ed00030caacb6
Formbook
8d12f8cc8128ab953c82c6dd67bbccea6e9b3e28c3dfd8a4379ebfe6d141096c
Formbook
aae4507b359991ebb7102b2531f939178db88102ac66b5307e5ea065d94639ea
Formbook
afff63cf4baca4e2a5f58803754843aca7c75437c0cd7b0cb6b60efb72692fc9
Formbook
f3a16fbf76dc776eb61b55b5a5aa8d3203e77effc2e05d85f93df96612323095
Formbook
+ 3'668 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:u1r9 rat spyware stealer trojan
Link:
https://tria.ge/reports/230904-rdt8asha39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
23efea5d8036ebaa4561e6064811e1b7d9058826e3275a7fd61f757b0db123ed
MD5 hash:
937a94e2e4800640936de0bf346e1948
SHA1 hash:
012c3d00fd783c05d3f347df12771501ed078ad4
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a5ce1acf-0abf-4fa2-9220-d6759b6de079/
Parent samples :
2ea94454b1acb888df318792b9a81e621b95e54619d3306a4a11e26148fb3fe3
cc3282f638a0bf6f5d3246310825760861f1ad6a78e3146c47c3e454e594c909
85e06fedb8cdd8ea049ec9b62d480e58e55356953fc02694863c916d204f5614
cda350f17f9da84bd3c76f325656630c4724eeaa08949d9d99941859bf8f0315
bee949c5192f46467c2fb76490dd2407f4206639c2e5e824c74e879c02fcc342
f72a8d106b976bd572e54e14f09ac3faed9c776395680f5689e412e62239409f
6695e4331e8ce9706466a68a03272ca2e09fa21141d08fede561a93eb8962c9f
096919dfc9600c9942e5ae37ac5526c85ffde3d38c7d000eb01d2d0ded514bbb
0192232934b2f9ae2a37ac4c8188f70804acd4c6718c95a47710f49e2f9ae9b1
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/a5ce1acf-0abf-4fa2-9220-d6759b6de079/
SH256 hash:
6b959869f767cbed167d5169ef0f2375ea56e202a0a8ac8dbb8f05cd1eae661e
MD5 hash:
e845de7a4cd00244a0f9446be285469b
SHA1 hash:
9749766f00920445091f6b27306bf09be01c0ae5
Link:
https://www.unpac.me/results/a5ce1acf-0abf-4fa2-9220-d6759b6de079/
SH256 hash:
1c1b0d81511ac2a9adb39a3ada87e802a309ce757faa65e5718e93eed544d313
MD5 hash:
514fa912e81f570e39c5848bf668f786
SHA1 hash:
37868dab5fc6ada8865223b71c8af93fd6022f64
Link:
https://www.unpac.me/results/a5ce1acf-0abf-4fa2-9220-d6759b6de079/
SH256 hash:
cda350f17f9da84bd3c76f325656630c4724eeaa08949d9d99941859bf8f0315
MD5 hash:
5ae74ac0fe21a6a624f680a5d9ea7959
SHA1 hash:
c9121ba150a388a93078a5e5f51a9d46234ff418
Link:
https://www.unpac.me/results/a5ce1acf-0abf-4fa2-9220-d6759b6de079/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cda350f17f9da84bd3c76f325656630c4724eeaa08949d9d99941859bf8f0315

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446092/

Comments