MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e17c6fdddc41bc1200df93f2303ea35ac0d230e04e7641f1b589bf2a9a7d1e3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e17c6fdddc41bc1200df93f2303ea35ac0d230e04e7641f1b589bf2a9a7d1e3e
SHA3-384 hash: c7a02d39da9301d81b991f1e14fe3e0a56b2258767679fc8d995bf0dece02078d9169bd94cc1bfbe34b02687dd497830
SHA1 hash: 4412b4aaaa6a921f5dfacd08fcc53f97adcdc94d
MD5 hash: 13f3d3c796b6df4aa50759f1216a96e7
humanhash: burger-floor-florida-jupiter
File name:13f3d3c796b6df4aa50759f1216a96e7
Download: download sample
Signature Formbook
Create hunting rule
File size:278'528 bytes
First seen:2021-06-27 21:35:42 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:cEtTqjFA5JxUTHMcdKYl58wqpGdGyzGWLK0/Gtv:cE9Z53UTHLoYvjqs3//Ev
Threatray 6'051 similar samples on MalwareBazaar
TLSH 9844121A70D1417FD89986B51CFB873A97F78E001926120313F07B1EBEB1D8646A67A6
Reporter zbetcheckin
Tags:FormBook msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168499/
Detection(s):
Win.Malware.Filerepmetagen-9874481-0
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e17c6fdddc41bc1200df93f2303ea35ac0d230e04e7641f1b589bf2a9a7d1e3e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808619
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441030 Sample: E1bCgdZF3a Startdate: 27/06/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 6 other signatures 2->52 8 MSI8990.tmp 20 2->8         started        12 explorer.exe 2->12         started        15 msiexec.exe 2 2->15         started        process3 dnsIp4 26 C:\Users\user\AppData\Local\...\System.dll, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\Temp\itfcdm, DOS 8->28 dropped 54 Detected unpacking (changes PE section rights) 8->54 56 Maps a DLL or memory area into another process 8->56 58 DLL side loading technique detected 8->58 60 Tries to detect virtualization through RDTSC time measurements 8->60 17 MSI8990.tmp 8->17         started        30 www.fl6588.com 12->30 32 www.fl6588.com 202.46.38.121, 49704, 80 CNNIC-SUNRISE-APShenZhenSunriseTechnologyCoLtdCN China 12->32 34 6 other IPs or domains 12->34 62 System process connects to network (likely due to code injection or exploit) 12->62 20 cmstp.exe 12->20         started        file5 signatures6 process7 signatures8 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Sample uses process hollowing technique 17->40 42 Queues an APC in another process (thread injection) 17->42 44 Tries to detect virtualization through RDTSC time measurements 20->44 22 cmd.exe 1 20->22         started        process9 process10 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e17c6fdddc41bc1200df93f2303ea35ac0d230e04e7641f1b589bf2a9a7d1e3e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 00:32:59 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4f6g7xo4ig6beag7spzdapvdllanemhajz3ed4nvrg7svgt5dy7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
21b29b3e6e8ea1f94e0d6944026efdccf89b7f35794478daccd05e2a00f222cb
Formbook
50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085
Formbook
66e06710b095c687448e0b08240a99f84dfbfc24882a2c8c9f5b165f58469d8f
Formbook
70bbe5e2d1987ad7bf4cb067ef7c2447ef8fbc668078e725abd14d49857a8d3a
Formbook
72a002cd9cd49afe6f15c5dc2ad7e3f65471b21fd4331202183b87c7ebab7fe3
Formbook
744400d590042d779a25401879f9906b979e32bba3fac355a0ff2d5a00f4fcfc
Formbook
a64fb325fa611518c20644dfbe5728eb7767caeb63df08c4935dec5fc4ffe988
Formbook
ae5df8905dd1b9de509e6764dea4c5571916b1705a129bddf2f5e2e554552acb
Formbook
b8f987a5099e1a1a220893763f00bcff9d84ed2dd49cb4a0ab8f5c595281e5ac
Formbook
d040f18bcf1d59a6372cdd74ec22ba8908ca7c6e7c5a01e80053433277e16d1d
Formbook
+ 6'041 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook macro rat spyware stealer trojan xlm
Link:
https://tria.ge/reports/210627-x6sqrsgpga/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.bulverderoofing.com/lt0h/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e17c6fdddc41bc1200df93f2303ea35ac0d230e04e7641f1b589bf2a9a7d1e3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Microsoft Software Installer (MSI) msi e17c6fdddc41bc1200df93f2303ea35ac0d230e04e7641f1b589bf2a9a7d1e3e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168499/

Comments