MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e16cb828cc6368d7e7a1312eded1e218c31ebc325f37b13bd612c464b84afb79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e16cb828cc6368d7e7a1312eded1e218c31ebc325f37b13bd612c464b84afb79
SHA3-384 hash: e9c0fea0d839fb4121c33e3077d3c815a9ff586839d5cb05662ddb3eb423feb9b59456982e809d486022726578746e7f
SHA1 hash: 074184497e749b2fbbb4bdb42dc90b6d48ceeb5e
MD5 hash: 5ec5a7129900671539c9bf753fa4234a
humanhash: august-paris-pluto-berlin
File name:5ec5a7129900671539c9bf753fa4234a.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:606'208 bytes
First seen:2021-09-28 11:35:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:wz6Bz5Ni+hBr7IUADEUrJdmQehrMSB8ctWD9kT:waNi+hBr8UAYAuNmSB84WD9
Threatray 9'693 similar samples on MalwareBazaar
TLSH T194D48DDA1EB497CBFB4E02F8F5782B9813BA9028D59BF3D2CA45B0B311367544920DD6
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice-E-2-S-2122-1235.doc
Verdict:
Malicious activity
Analysis date:
2021-09-28 07:12:17 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/ccd24d49-52a9-41b6-b643-3448bb997e59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.14006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/adcc2b94-4494-4613-8eb1-d7978f84abba
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859808
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492240 Sample: qFghuPTDuw.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 39 www.artdirectorfff.com 2->39 41 domains.readymag.com 2->41 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 7 other signatures 2->55 11 qFghuPTDuw.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\SeNhpVLP.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\Local\Temp\tmpE6C.tmp, XML 11->35 dropped 37 C:\Users\user\AppData\...\qFghuPTDuw.exe.log, ASCII 11->37 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 11->67 69 Tries to detect virtualization through RDTSC time measurements 11->69 15 qFghuPTDuw.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 Queues an APC in another process (thread injection) 15->77 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 www.espressence.com 64.190.62.111, 49828, 80 NBS11696US United States 20->43 45 aieraadvert.com 185.187.241.40, 49890, 80 HOSTSLIM-GLOBAL-NETWORKNL Germany 20->45 47 13 other IPs or domains 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 26 wscript.exe 20->26         started        signatures11 process12 signatures13 59 Self deletion via cmd delete 26->59 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e16cb828cc6368d7e7a1312eded1e218c31ebc325f37b13bd612c464b84afb79/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 09:08:46 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
Formbook
2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68
Formbook
2eb844b531f53a22bd20a919fda7cb483283c2e0cfc9968bca6b0c8792be580c
Formbook
326a1e669385d8e241375e9eca9f915440f1d0d3f803e6d1648f30102cbedaa6
Formbook
3f5c235293cfdde26a725b19b3cbaefc44dae026b7dff9124002f42e564df18b
Formbook
5e27b2f6ec7f0387f6c380ac26eb924fcc732601c43ed7c400c42ae82fb0de57
Formbook
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
Formbook
dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
Formbook
fa9bd0ededa6a35bd948c884848855568c1efd4e77bd2ca7786144f81d3f64c5
Formbook
+ 9'683 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:heth loader rat
Link:
https://tria.ge/reports/210928-nql6nsbhhj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.artdirectorfff.com/heth/
Unpacked files
SH256 hash:
f28b08623ab981f2f3cbe3309e7e332107a63694c1910e02ade8b7a3ab75c78c
MD5 hash:
752c63993a0c721d63a11e8eeb8e4f92
SHA1 hash:
504780e65e7813a6f73e0482b4951f155add23f7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8e165d7a-5daa-4476-b631-7ae6ce019d5b/
SH256 hash:
d6c9ed3b946e806c3874720b44a59b394befdc3f011115367e03c9bffd2d94de
MD5 hash:
d0c83d6085339fec8848331f426af8cd
SHA1 hash:
373207c25620321cb645ba393c08cd471747b09c
Link:
https://www.unpac.me/results/8e165d7a-5daa-4476-b631-7ae6ce019d5b/
SH256 hash:
aa287b2db6bd786ab007a727e64adadb3a350bdbab2a69c1442f17c0e540e3aa
MD5 hash:
c40807320e7ee1283fbae0726b798430
SHA1 hash:
278d2178a8d080cb9e5819eb978e58c1186c3227
Link:
https://www.unpac.me/results/8e165d7a-5daa-4476-b631-7ae6ce019d5b/
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
Link:
https://www.unpac.me/results/8e165d7a-5daa-4476-b631-7ae6ce019d5b/
SH256 hash:
e16cb828cc6368d7e7a1312eded1e218c31ebc325f37b13bd612c464b84afb79
MD5 hash:
5ec5a7129900671539c9bf753fa4234a
SHA1 hash:
074184497e749b2fbbb4bdb42dc90b6d48ceeb5e
Link:
https://www.unpac.me/results/8e165d7a-5daa-4476-b631-7ae6ce019d5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e16cb828cc6368d7e7a1312eded1e218c31ebc325f37b13bd612c464b84afb79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e16cb828cc6368d7e7a1312eded1e218c31ebc325f37b13bd612c464b84afb79

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1619089/
  
Delivery method
Distributed via web download

Comments