MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f
SHA3-384 hash: 3e3d9616667f1d989e093bd28616ee0e4bcb8c2ac9f6ca8c52cf02f490777de7894a0b03e255c39826a06a020650bafe
SHA1 hash: ec8e479ecff2c6c14bbc013f99834b43adb15bb4
MD5 hash: 853a7f2d2bf164d8f591d8e014e2f9c4
humanhash: michigan-emma-fifteen-foxtrot
File name:PO-INQUIRY-VALE-SP-2022-60.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:606'208 bytes
First seen:2022-05-25 02:26:41 UTC
Last seen:2022-05-25 03:39:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:o5bEu8ex0GZFFCyx9EychdaD9dj/eGn+CEKmEudNaAqP8vE/cNDBlOUC:GbEu32Fhoz/zn+jdzqP88/cBBM
Threatray 15'779 similar samples on MalwareBazaar
TLSH T194D423116B90C71DDF7A87BA1424140403F2B447BA15EB4ECE9B60DB0963389DBBAF97
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO-INQUIRY-VALE-SP-2022-60.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 02:30:07 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/2936dec2-2234-4bfd-bcfe-ef3a8464fdbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274318/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/628d94143ec49f83a6c91d2f/reports/d6ef891a-0162-4354-8498-aa4e1610eab8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71ed3768-fc2b-42c4-96f0-1fd275d928f7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001211
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633705 Sample: PO-INQUIRY-VALE-SP-2022-60.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 30 www.hucosii.xyz 2->30 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 11 PO-INQUIRY-VALE-SP-2022-60.exe 3 2->11         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 11->58 60 Injects a PE file into a foreign processes 11->60 14 PO-INQUIRY-VALE-SP-2022-60.exe 11->14         started        17 PO-INQUIRY-VALE-SP-2022-60.exe 11->17         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected process8 dnsIp9 32 danilhodoekhi.com 15.197.142.173, 49704, 80 TANDEMUS United States 19->32 34 www.shibecha.info 183.181.98.2, 49709, 80 SAKURA-CSAKURAInternetIncJP Japan 19->34 36 10 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 48 Performs DNS queries to domains with low reputation 19->48 23 WWAHost.exe 19->23         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 23->50 52 Modifies the context of a thread in another process (thread injection) 23->52 54 Maps a DLL or memory area into another process 23->54 56 Tries to detect virtualization through RDTSC time measurements 23->56 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 02:27:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3miocyp6dypdyofyqzneq7itirc7wdyhuxup4rtpowki4ktalnpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
13bd267ca3d7af495f8cd8f72daf3ea997312671eafe9992a88768e4f3ecc601
Formbook
181b33c4cba7fc9aad25283ed5fce1f171f8fb64af1591bfe5c38285a7091956
Formbook
19a007d4980b99ea32ee2d9feb1c7479ee4c7b165b159fd4fbd33622b661009d
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
6ccee842a4957d3410ae6163bb96a9b7739b3ffc3032dfeeb2a3c7b273ca5656
Formbook
898b47cb2e4d16a7325de16aae14c3c66894467ece923e706c186ee9ab75799b
Formbook
8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a
Formbook
c9ce6cdd55466893068a0f0b4f6b0ea2e96ca3f7d55f818bda2205985037ac0a
Formbook
da30dd86e912cbfcf0cb4306265cedf47604891dc868db7c59dd92d47ad32063
Formbook
da90895ec14c13c733ba3550194ab36a4c64130c5c2b2038c163dff0c505b3e3
Formbook
+ 15'769 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:j86w loader rat suricata
Link:
https://tria.ge/reports/220525-cxevdsbhbj/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
ce4d1fd62a64dc09d7922e066ebd5a7203b696f5e4f5104ed57a3cfb3180e669
MD5 hash:
08afc3e32fe48981b334d36c5da2349c
SHA1 hash:
5e007a529ef1228fa2452e8cf9ccbde5b695d234
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1d2d959f-290e-4872-aaeb-54deb7f0e779/
Parent samples :
9dd418e3e0b939a80d00d578f63ad16004cc92646b3398ca9527c6063df0c69c
19a007d4980b99ea32ee2d9feb1c7479ee4c7b165b159fd4fbd33622b661009d
6ccee842a4957d3410ae6163bb96a9b7739b3ffc3032dfeeb2a3c7b273ca5656
db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f
SH256 hash:
512ee9cd32fff2117a54ad2d35a0b269b78b79bf1e7d2a07064464c1272db55f
MD5 hash:
3ec75ce07b457d03fd6cc99ea5046a3d
SHA1 hash:
bd19964e521eab6a08f217490d5fe66f348bd9d6
Link:
https://www.unpac.me/results/1d2d959f-290e-4872-aaeb-54deb7f0e779/
SH256 hash:
c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2
MD5 hash:
86f922d84e1b89f646bc23cb3d878a9c
SHA1 hash:
b61f4401c1a144d704988cf4e55dd9a71f8d8263
Link:
https://www.unpac.me/results/1d2d959f-290e-4872-aaeb-54deb7f0e779/
SH256 hash:
0283941f1f7ae72f88bb3044addc3f4274549c3fd771612ec3df95c80b708c9e
MD5 hash:
abcf7824b477074db7ac154a80d1e329
SHA1 hash:
9c6982829bff318776560846de7bcc39d3c16f7f
Link:
https://www.unpac.me/results/1d2d959f-290e-4872-aaeb-54deb7f0e779/
SH256 hash:
7c0175e6007f6f37b3a36a8041bed8790cbb3fb048a62871879da806771f069d
MD5 hash:
2e24d14d1e249ab9faec20eb3d457e07
SHA1 hash:
56392c651fbb617b3a78085f0e6401a5cd61b2e5
Link:
https://www.unpac.me/results/1d2d959f-290e-4872-aaeb-54deb7f0e779/
SH256 hash:
db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f
MD5 hash:
853a7f2d2bf164d8f591d8e014e2f9c4
SHA1 hash:
ec8e479ecff2c6c14bbc013f99834b43adb15bb4
Link:
https://www.unpac.me/results/1d2d959f-290e-4872-aaeb-54deb7f0e779/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db10e161fe1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274318/

Comments