MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0be19c0b5adf0b25e4eab364d23035d375cdceb14835a5d40642400a82e15f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0be19c0b5adf0b25e4eab364d23035d375cdceb14835a5d40642400a82e15f7
SHA3-384 hash: 9c51120f6a624c566a83853e14d66339d6f727733fbe9a710d02e9b1204691b8fb7c26e24528f39337cbbb6701fb2baf
SHA1 hash: 26184c68cd64ff6fcd930036be763ca26db550ac
MD5 hash: 89f9daece1506827a8a91dc087fb7357
humanhash: victor-rugby-social-indigo
File name:ELEGANT MARINE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:423'424 bytes
First seen:2021-11-02 06:53:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:Gde/LcVGoKWDtDGjQoFC9XD1ueK5l7TQIF5Nn8E3wWKtB92vm0frl1SCwOK:kdVGoTDfo45DkZ5LBp31XmmgCc
Threatray 11'645 similar samples on MalwareBazaar
TLSH T11D949E5673074A16E82CA775DFB73B110760BBE66C728717A3C5A92E601E2E73EC0706
File icon (PE):PE icon
dhash icon e9c0889999add0a8 (6 x AgentTesla, 2 x Formbook, 1 x AveMariaRAT)
Reporter cocaman
Tags:exe FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "Juan Thomson<tact@johnica.com>" (likely spoofed)
Received: "from [45.133.1.148] (unknown [45.133.1.148]) "
Date: "1 Nov 2021 18:15:26 -0700"
Subject: "VESSEL ELEGANT MARINE"
Attachment: "ELEGANT MARINE.exe"

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ELEGANT MARINE.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 06:59:07 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/03537e63-8fda-4462-82f1-62033c9fc663

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201278/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6180e08d1c62c356607e7b93/reports/9fb71b7c-57b3-4f78-8521-1647276f29ac/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e7f564df-42e4-42b1-81d0-6cf1eadcf2ff
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880987
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 513423 Sample: ELEGANT MARINE.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 35 www.fernandocarretero.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 10 other signatures 2->49 11 ELEGANT MARINE.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...LEGANT MARINE.exe, PE32 11->29 dropped 31 C:\...LEGANT MARINE.exe:Zone.Identifier, ASCII 11->31 dropped 33 C:\Users\user\...LEGANT MARINE.exe.log, ASCII 11->33 dropped 61 Writes to foreign memory regions 11->61 63 Allocates memory in foreign processes 11->63 65 Injects a PE file into a foreign processes 11->65 15 ELEGANT MARINE.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.c-ver-huawei.net 156.240.160.85, 49702, 80 Africa-on-Cloud-ASZA Seychelles 18->37 39 fourjmedia.com 192.0.78.24, 49701, 80 AUTOMATTICUS United States 18->39 41 2 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 raserver.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0be19c0b5adf0b25e4eab364d23035d375cdceb14835a5d40642400a82e15f7/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 02:49:22 UTC
AV detection:
8 of 44 (18.18%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2c7btqfvvxylexsovm3e2iydlu3vzxhlcsbvuxkamqsabkbocx3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
014fdffc1561ee767b1189c5b496f587d16ba7d394ca9d26d2e7d6f8541ebc92
Formbook
1bbc8a34b7590c1593c5a79a8d0f93b17a162f44893c37aa11e4cb9e0e2d96bf
Formbook
21350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
Formbook
26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495
Formbook
2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1
Formbook
4bb96dffcc0b4cba1f4ee2ed04e32d724e486c88b0e8492b3e5efb1ec0928c0e
Formbook
7b11c921e5383232009985b5912967978ae269287359f9c1718c2b37e1a067f8
Formbook
bb8e1d48225b002a4da7d0c33051e7fc457e244ed610f536b87702439d978a46
Formbook
fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae
Formbook
+ 11'635 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:w8n5 loader rat
Link:
https://tria.ge/reports/211102-hn8n1abhb9/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.fourjmedia.com/w8n5/
Unpacked files
SH256 hash:
6dbe982909b1e58a689ddd342b77f94fddee400274ed3ae2446cba7af314c21d
MD5 hash:
b26579d3f3b23db099981355a260c103
SHA1 hash:
d62b335850d6a29bda6ad76c271ed0a2a52df1b7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/106e87e1-3f07-4c91-9eb9-5d37bd510367/
SH256 hash:
25bb32e1d9a1ecc58d23c0bb69aa8dec56037da6b9f4b0fe1eb819a5ddb9b1e4
MD5 hash:
f5f0b6324208f9ed3d7c636a016bc876
SHA1 hash:
d2cde3d26d24a917cdcd963084012bc5b6f4d253
Link:
https://www.unpac.me/results/106e87e1-3f07-4c91-9eb9-5d37bd510367/
SH256 hash:
268dcfe0747bc9481e4929a6b01c4451d22653f75366b80005e4579e43779880
MD5 hash:
5dc2423503a5504019bd22251e7049d6
SHA1 hash:
89291b802d5746d4c93e04056c601a3aac93c0ee
Link:
https://www.unpac.me/results/106e87e1-3f07-4c91-9eb9-5d37bd510367/
SH256 hash:
d0be19c0b5adf0b25e4eab364d23035d375cdceb14835a5d40642400a82e15f7
MD5 hash:
89f9daece1506827a8a91dc087fb7357
SHA1 hash:
26184c68cd64ff6fcd930036be763ca26db550ac
Link:
https://www.unpac.me/results/106e87e1-3f07-4c91-9eb9-5d37bd510367/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d0be19c0b5ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/d0be19c0b5adf0b25e4eab364d23035d375cdceb14835a5d40642400a82e15f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d0be19c0b5adf0b25e4eab364d23035d375cdceb14835a5d40642400a82e15f7

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
Formbook
Cape
Cape
https://www.capesandbox.com/analysis/201278/

Comments