MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1a56f989b55a3ca7b2c531fae84dce7bb3dfd4f20c2d317894337f41d6e85e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1a56f989b55a3ca7b2c531fae84dce7bb3dfd4f20c2d317894337f41d6e85e1
SHA3-384 hash: 7327d3ba52fae41a14fa052e1b69432bc60e1e73674dac6a7ab3c3b5f5a0d5c53da1ecaffa979b992e1c552544d026f3
SHA1 hash: e4314efa9a5751125006aa023ea87a70a171808f
MD5 hash: 7fc8fb0297a3f889c6c0f9790801c8b9
humanhash: berlin-artist-batman-california
File name:List of quotes needed Pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'064'448 bytes
First seen:2022-03-11 11:27:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:rj1MxwkMY0huF8apXEc9ms28RUACGctVa1ymf:PyMYu4pXE1s3AGcq1ym
Threatray 14'248 similar samples on MalwareBazaar
TLSH T1E035F2D4BA88C3BE9C58E267F16804700FB51E9E2432AF5D59C930C9CBF7BAE149151E
File icon (PE):PE icon
dhash icon 332363132d253b47 (3 x Formbook)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
List of quotes needed Pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-03-11 11:35:08 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/08a343e4-185d-4427-86cf-aeeaef8bfb00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249390/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/622b32470cd58dbd927db1b3/reports/80cd2aa4-4863-4fa9-9890-dc8e182d30ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be10144e-4cbd-414c-a3c5-f8b9d2a8fc35
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954819
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 587299 Sample: List of quotes  needed Pdf.exe Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 7 other signatures 2->37 9 List of quotes  needed Pdf.exe 3 2->9         started        process3 file4 29 C:\...\List of quotes  needed Pdf.exe.log, ASCII 9->29 dropped 47 Injects a PE file into a foreign processes 9->47 13 List of quotes  needed Pdf.exe 9->13         started        16 List of quotes  needed Pdf.exe 9->16         started        18 List of quotes  needed Pdf.exe 9->18         started        signatures5 process6 signatures7 49 Modifies the context of a thread in another process (thread injection) 13->49 51 Maps a DLL or memory area into another process 13->51 53 Sample uses process hollowing technique 13->53 55 Queues an APC in another process (thread injection) 13->55 20 WWAHost.exe 13->20         started        23 explorer.exe 13->23 injected process8 signatures9 39 Self deletion via cmd delete 20->39 41 Modifies the context of a thread in another process (thread injection) 20->41 43 Maps a DLL or memory area into another process 20->43 45 Tries to detect virtualization through RDTSC time measurements 20->45 25 cmd.exe 1 20->25         started        process10 process11 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1a56f989b55a3ca7b2c531fae84dce7bb3dfd4f20c2d317894337f41d6e85e1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 02:17:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gsw7ge3kwr4u6zmkmp25bg4465t37kpedbngf4jim37ihloqxqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03231087b8d197ac9adff7250c8ceb9c1e6d604c008e5622de78d7e1fcc78c1c
Formbook
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
Formbook
28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
Formbook
49f94b3fbaf875cb2c223cdee59cfdedf4b2b937fba4a473cf2e4f767b44cb4c
Formbook
67435ee3c6fd3d272c004256f34020df37fb93fd33c18720053b9d2c1bb19b67
Formbook
6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068
Formbook
8ea742e271b371fe424d1e2cb3f5227c6a0f2af70161f5c7600148228e2d77c1
Formbook
9655ee4ca1167f87d9245041ab59e861d6b3bdde7897a3b4cb2deee8550bdaaa
Formbook
b2a2c2200f389dd11ed8083225880c75a050ab463146117e7aa02b983210a6f8
Formbook
d3fae1feacb2e75560f838099213ae33385d6a0a11caa222a4f09024721e2720
Formbook
+ 14'238 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:no9u loader rat suricata
Link:
https://tria.ge/reports/220311-nk1rwaccgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
.NET Reactor proctector
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
d55f525eb14cf5f73ae1a37d57361caf764bbe72b386f2ae925385186d9a11de
MD5 hash:
e0f1321965b32cd4b2fe11fff15b4f65
SHA1 hash:
159d4db341abc9ccc61b63f3090ec756ad7a0fec
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2376d158-7905-4f29-85ce-7a23e9d375e6/
Parent samples :
6a6963119089589ccf2549a56252f54cb62b516da7475219fab2c294e655e425
e1a56f989b55a3ca7b2c531fae84dce7bb3dfd4f20c2d317894337f41d6e85e1
SH256 hash:
9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662
MD5 hash:
b4c9c16228f0ee1de70ffc6264fb720c
SHA1 hash:
437049e452a511e220abdb32df695cdf07f5a7d0
Link:
https://www.unpac.me/results/2376d158-7905-4f29-85ce-7a23e9d375e6/
SH256 hash:
06c40e99e060e4e7edda1fbf58127532539da5fc60e13d51159f9e68fb478e25
MD5 hash:
1ab01c2699e3d7692c51f6006edb65a1
SHA1 hash:
3bdfc13d760374a0569ecf8241245a93178e21f2
Link:
https://www.unpac.me/results/2376d158-7905-4f29-85ce-7a23e9d375e6/
SH256 hash:
6c01d78d76b197ac4432d127eb2452ead6d65278635422d51e4b098d1e618173
MD5 hash:
d5fea088072d325dc9ced3e3e076caa3
SHA1 hash:
36318d947da941b92898c7441ffc14cf719b6f89
Link:
https://www.unpac.me/results/2376d158-7905-4f29-85ce-7a23e9d375e6/
SH256 hash:
e1a56f989b55a3ca7b2c531fae84dce7bb3dfd4f20c2d317894337f41d6e85e1
MD5 hash:
7fc8fb0297a3f889c6c0f9790801c8b9
SHA1 hash:
e4314efa9a5751125006aa023ea87a70a171808f
Link:
https://www.unpac.me/results/2376d158-7905-4f29-85ce-7a23e9d375e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e1a56f989b55a3ca7b2c531fae84dce7bb3dfd4f20c2d317894337f41d6e85e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249390/

Comments