MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee
SHA3-384 hash: 12665fe6815a162c129ce984c73423158bac2e05af77eaa453b3d3f643abeb44bfc041ffba5024be916fb79763edd6e9
SHA1 hash: fff694376efc1a026a5b744540e40b24283947c3
MD5 hash: b3a5b92604a35fc375ed40a1cf9b91b2
humanhash: massachusetts-yankee-leopard-fifteen
File name:bae.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:858'624 bytes
First seen:2022-06-07 15:23:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Y/7zz26f+W0aQXfDJNP2iNd9qrad/BqmfyHcjs7QhvOelYPde6Ljfehgmup7gK:Y/S6fYNP1nyaiKfs0hvOelkX6uVgK
TLSH T11305E1447302EC7EF1294E77ACA154046B70461E82ABE66BB6CD32CD245F3CB1AF6653
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
bae.exe
Verdict:
Malicious activity
Analysis date:
2022-06-07 17:06:55 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/5e072694-dafa-4b6b-b1df-5c5c73e0ba67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277451/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/629f6d99c221aaaa25bfb789/reports/fb14253d-1ac6-495d-a88a-f1d35e4af75b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff3bb70d-56fa-4747-a459-699d0d1872bb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1008307
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 640827 Sample: bae.exe Startdate: 07/06/2022 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 9 bae.exe 7 2->9         started        process3 file4 33 C:\Users\user\AppData\...\bGYFxLpfNeiTCy.exe, PE32 9->33 dropped 35 C:\...\bGYFxLpfNeiTCy.exe:Zone.Identifier, ASCII 9->35 dropped 37 C:\Users\user\AppData\Local\...\tmp626C.tmp, XML 9->37 dropped 39 C:\Users\user\AppData\Local\...\bae.exe.log, ASCII 9->39 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 9->55 57 Adds a directory exclusion to Windows Defender 9->57 59 Tries to detect virtualization through RDTSC time measurements 9->59 13 bae.exe 9->13         started        16 powershell.exe 25 9->16         started        18 schtasks.exe 1 9->18         started        signatures5 process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 20 msiexec.exe 13->20         started        23 explorer.exe 13->23 injected 25 conhost.exe 16->25         started        27 conhost.exe 18->27         started        process8 signatures9 49 Self deletion via cmd or bat file 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 Maps a DLL or memory area into another process 20->53 29 cmd.exe 1 20->29         started        process10 process11 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 15:22:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2f7kn52r2qa7yr734xwadow2fde5yeuuavg5a42bw2inemrablxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:ah8e loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220607-ss225aaaa4/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
8532847edcb2a09cb1f537294fc95621654c3e47dd6085c871934eaa45f08813
MD5 hash:
93afe06d5148d04443fc59352f049dec
SHA1 hash:
e680ce1a25c326569960ff6d62b2b574acd8da54
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a83d442d-b83f-4367-9552-11c01a9de3f9/
Parent samples :
d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee
e8be37f142bec9e9bf1a6038d7e7c246ad75b9b8ab966d1a92d807b7d9220de5
e05a70145e79856ae8df1af7e086832459ef0cec8356650c6414cf56433a12eb
SH256 hash:
5bab25d91616bd56d8a206d0eb71074a0ea5113414fb7cc7d640e930ef054b41
MD5 hash:
fd925a5b220ee712151b52681ea2ebf6
SHA1 hash:
86a27e0c4bec9a075a4ad8e1a39b749ce39d0582
Link:
https://www.unpac.me/results/a83d442d-b83f-4367-9552-11c01a9de3f9/
SH256 hash:
59b39167d7edfc068938cfa6c82ba3cb8a2a68aafbecf469dbd5b4a4da2ac52d
MD5 hash:
0a7b97d23e4a84753cbbce9c8b616aaa
SHA1 hash:
8379060bc50b6d66befed966c93fc0bbf810bdef
Link:
https://www.unpac.me/results/a83d442d-b83f-4367-9552-11c01a9de3f9/
SH256 hash:
a675f303f6e1ed214cb7ae9910246a1d54565da05690b29001d713f2acaad961
MD5 hash:
feed7bf03a05e5d55c945349f4db4399
SHA1 hash:
19021308efc63f8063b7d9b805b2a75ba18b3833
Link:
https://www.unpac.me/results/a83d442d-b83f-4367-9552-11c01a9de3f9/
SH256 hash:
d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee
MD5 hash:
b3a5b92604a35fc375ed40a1cf9b91b2
SHA1 hash:
fff694376efc1a026a5b744540e40b24283947c3
Link:
https://www.unpac.me/results/a83d442d-b83f-4367-9552-11c01a9de3f9/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d17ea6f751d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/277451/
  
URLhaus
https://urlhaus.abuse.ch/url/2228748/

Comments