MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7
SHA3-384 hash: 009af1a3533d69cc5fb90fb1bdf46a85e326df01f3fa5e2af7d57aaf11add86ab58a4cc6e10a29ca686748177b47ac33
SHA1 hash: bf7c9e96ca263d7811f7357f8645af42b04c093b
MD5 hash: 859a1a6574e4a09027f729908318b282
humanhash: lactose-winter-hawaii-enemy
File name:859a1a6574e4a09027f729908318b282
Download: download sample
Signature Formbook
Create hunting rule
File size:431'616 bytes
First seen:2021-09-24 11:25:19 UTC
Last seen:2021-09-24 12:01:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:8qg7fGHfcOKsSjA1pUVUrmOGH5ieTmHnTCyp93MyNNdHaR2TjIPN9KPZt2HS:6GEOME1pUVUih8986xK2XU
Threatray 9'592 similar samples on MalwareBazaar
TLSH T13094E04167CCDE9FE3296A3498117C6082A3D3ED21A2EA4AED4955B13DE630CF711EC7
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV DINA QUEEN.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-24 08:44:34 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/104637dd-76dd-4908-9858-f8f330170b6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191148/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.20451.16737.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc370897-d84b-4c06-aa7e-9a882a0486f0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857324
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489755 Sample: IKpep4Zn5S Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 31 www.mionegozio.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 11 IKpep4Zn5S.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\IKpep4Zn5S.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 IKpep4Zn5S.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.sofasstorremolinos.com 217.160.230.95, 49844, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->33 35 d141fjs.yb550.com 103.248.137.49, 49843, 80 DNC-ASDimensionNetworkCommunicationLimitedHK Hong Kong 18->35 37 11 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 colorcpl.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 09:01:45 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
326a1e669385d8e241375e9eca9f915440f1d0d3f803e6d1648f30102cbedaa6
Formbook
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
Formbook
768252369536d1e56aad57c5015925ec464642d13d76468db72e60f9ac4e1a54
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
Formbook
995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3
Formbook
ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4
Formbook
f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
Formbook
+ 9'582 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:arup loader rat
Link:
https://tria.ge/reports/210924-njwrjagghn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.sapphiretype.com/arup/
Unpacked files
SH256 hash:
0a91d1253212a874adb2615f72362fd63c31f5ac1c9008c12def5e2fe07ed9d1
MD5 hash:
9c9e1dc29cf7f94a4f99a66d1c00f6e1
SHA1 hash:
5e72a46f4aefa6d02c29fcf1acc4ac60bf03ec75
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/445cda48-f9f6-4d6c-9cab-ad953af550a7/
Parent samples :
995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3
d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7
SH256 hash:
cefe87a0de015dc44dc1086458460be07edba8d9f7211c4bed8a11809d520a72
MD5 hash:
0403b7f4765e08a2f74690caf1a82990
SHA1 hash:
b0e9f69b8c337b605edecdcc3345c6f0045ee04e
Link:
https://www.unpac.me/results/445cda48-f9f6-4d6c-9cab-ad953af550a7/
SH256 hash:
74b796245fd278d7702612d341cd9d7a6a2c86d0d130fd41df3b36c91089ea5c
MD5 hash:
5d02fcf2ded2882ef3f6593b85209f00
SHA1 hash:
ee54f15652dce3374d0df26d416a5a4ec9c0dae3
Link:
https://www.unpac.me/results/445cda48-f9f6-4d6c-9cab-ad953af550a7/
SH256 hash:
8cc39fd271339904e5ddfa4b96dab3f31ffae73de53458f4ddf23b6f493ea245
MD5 hash:
5385a289f22cce31428db9e9fb4cd000
SHA1 hash:
6319c1d383febafeba032d81160d2e2857623e44
Link:
https://www.unpac.me/results/445cda48-f9f6-4d6c-9cab-ad953af550a7/
SH256 hash:
0bfdafea734cf1e2a00401f16789d18084798269c4000e4985acd83a3772e982
MD5 hash:
dbd1976c35143bd203df26305cfa485d
SHA1 hash:
54bd952787f471c0b518b3b0c007e8755ea9dcfc
Link:
https://www.unpac.me/results/445cda48-f9f6-4d6c-9cab-ad953af550a7/
SH256 hash:
d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7
MD5 hash:
859a1a6574e4a09027f729908318b282
SHA1 hash:
bf7c9e96ca263d7811f7357f8645af42b04c093b
Link:
https://www.unpac.me/results/445cda48-f9f6-4d6c-9cab-ad953af550a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1642030/
Cape
Cape
https://www.capesandbox.com/analysis/191148/

Comments


Avatar
zbet commented on 2021-09-24 11:25:21 UTC

url : hxxp://198.23.212.143/etnt/vbc.exe