MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e05a70145e79856ae8df1af7e086832459ef0cec8356650c6414cf56433a12eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e05a70145e79856ae8df1af7e086832459ef0cec8356650c6414cf56433a12eb
SHA3-384 hash: c6e4f08359c25b7a3765e7277b92b5ce44fc837ad3c35aa7b11ce50df5403a0be26aabfa71bca79d419679cbdcdd14b3
SHA1 hash: 72610158cae804880b3bc2dfbec289075eccc7d0
MD5 hash: 7ace61e6a8f85641b0533ea4704b2365
humanhash: black-bulldog-vegan-jersey
File name:bm.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:852'480 bytes
First seen:2022-06-22 14:10:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:N1YivcYiOw9F0vw9FEY9lw9FDQx9VhccUQsEnWo6tYiOw9F0cYiDw9F0cYiOw9F0:NFvSOGGvGDlGhoVhccUQsvNOGGSDGGSC
Threatray 13'959 similar samples on MalwareBazaar
TLSH T15B05022072C4FB56D07F2BB91570016107397BB626A2DE0E8D8761EE4B6B7024B1DEE7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
e05a70-bm.exe.zip
Verdict:
Malicious activity
Analysis date:
2022-06-23 11:33:43 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/8476f679-067d-4f80-ad53-064c5294ff5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282313/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.11262.3551.21525.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b3233878c72835188a3e85/reports/f2d81189-867b-44ba-9964-c9db75f6b1d9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34006d84-ba62-477d-b5d6-84a151528604
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1017964
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 650457 Sample: bm.exe Startdate: 22/06/2022 Architecture: WINDOWS Score: 100 43 www.jandbticketsales.com 2->43 45 www.luxurymiamiflorida.com 2->45 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Yara detected AntiVM3 2->55 57 6 other signatures 2->57 10 bm.exe 7 2->10         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\TqPLZgJnzbGgnz.exe, PE32 10->35 dropped 37 C:\...\TqPLZgJnzbGgnz.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmp9F8D.tmp, XML 10->39 dropped 41 C:\Users\user\AppData\Local\...\bm.exe.log, ASCII 10->41 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 10->67 69 Adds a directory exclusion to Windows Defender 10->69 71 Tries to detect virtualization through RDTSC time measurements 10->71 14 bm.exe 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 14->73 75 Maps a DLL or memory area into another process 14->75 77 Sample uses process hollowing technique 14->77 79 Queues an APC in another process (thread injection) 14->79 21 cmstp.exe 14->21         started        24 explorer.exe 14->24 injected 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        process9 dnsIp10 59 Modifies the context of a thread in another process (thread injection) 21->59 61 Maps a DLL or memory area into another process 21->61 63 Tries to detect virtualization through RDTSC time measurements 21->63 31 cmd.exe 1 21->31         started        47 www.venacavadigital.com 24->47 49 venacavadigital.com 34.102.136.180, 49850, 80 GOOGLEUS United States 24->49 65 System process connects to network (likely due to code injection or exploit) 24->65 signatures11 process12 process13 33 conhost.exe 31->33         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e05a70145e79856ae8df1af7e086832459ef0cec8356650c6414cf56433a12eb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 14:09:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
52
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bnhafc6pgcwv2g7dl36bbuderm66dhmqnlgkddecthvmqz2clvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
213800d4309d521a4eca763503bf7fb6740e7a09848f3052e6f6cff23f6a6172
Formbook
27a558d460d700f26cb24a6f6b52d14fcbecf08cf984b3fd8a3a8f35e625ef49
Formbook
38d9e46ffe8d5d1405ac99da1a744e591bc93232a51a89add6d10c00d0957710
Formbook
45d1b699698ba99b1a8c51ef57d3ed895b762f418cc05f8c54425e3cebcea4c0
Formbook
5bc966e22893f103baa526fdd1392a0350890a4a151670fe608f55f32eaa9c1b
Formbook
b359375e9ac1bbd90bcb60c5fc6834d8a12ee2f4aadb34a001bda42a1c93b228
Formbook
b7595a0ccd50ea8a1e86cfc4ef6d8847266a6be2db436455b8057a9b154b2fda
Formbook
dc768179ba649419f687c42e8ffbd972d6667775e7cc48665a3f7d05a52cc0d5
Formbook
ebd95b71b4b54bc4c3b43e09447bf288498b33409e26832db137b105527ba6da
Formbook
+ 13'949 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ah8e loader persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/220622-rg9r6ageal/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
8532847edcb2a09cb1f537294fc95621654c3e47dd6085c871934eaa45f08813
MD5 hash:
93afe06d5148d04443fc59352f049dec
SHA1 hash:
e680ce1a25c326569960ff6d62b2b574acd8da54
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/037405a8-c2b3-4ead-98fa-8d4f6caca558/
Parent samples :
d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee
e8be37f142bec9e9bf1a6038d7e7c246ad75b9b8ab966d1a92d807b7d9220de5
e05a70145e79856ae8df1af7e086832459ef0cec8356650c6414cf56433a12eb
SH256 hash:
907c1cf3b53bbd617f2ba03844918c944d56053af3eaeda34c5af80001100f86
MD5 hash:
19c4026f0788f529e0d75272be945d86
SHA1 hash:
dfbb4035b151aac7b90138b9ae1932971eb349d0
Link:
https://www.unpac.me/results/037405a8-c2b3-4ead-98fa-8d4f6caca558/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/037405a8-c2b3-4ead-98fa-8d4f6caca558/
SH256 hash:
880c9ff80de33cde042ab26d75677dab18fdc7695908d615c44efa8b5d8e088a
MD5 hash:
07e1e5baea35d75e784cce3b991a5fdc
SHA1 hash:
2f5cd9ad4acec13ddb49f9d69093f9fe475342c2
Link:
https://www.unpac.me/results/037405a8-c2b3-4ead-98fa-8d4f6caca558/
SH256 hash:
4906a6a3ac90429587c0a2ca5d773820ee787cff5ff7e89285e9ccb802b18cc1
MD5 hash:
7e62412acf1e307e30bfc1de5c87f648
SHA1 hash:
1051949c551f8cf4fd69bdf579768aa8f5975bc7
Link:
https://www.unpac.me/results/037405a8-c2b3-4ead-98fa-8d4f6caca558/
SH256 hash:
e05a70145e79856ae8df1af7e086832459ef0cec8356650c6414cf56433a12eb
MD5 hash:
7ace61e6a8f85641b0533ea4704b2365
SHA1 hash:
72610158cae804880b3bc2dfbec289075eccc7d0
Link:
https://www.unpac.me/results/037405a8-c2b3-4ead-98fa-8d4f6caca558/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e05a70145e79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e05a70145e79856ae8df1af7e086832459ef0cec8356650c6414cf56433a12eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/282313/
  
URLhaus
https://urlhaus.abuse.ch/url/2247278/

Comments