MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e23cdc292f7abd52c0832b3d7e2c0ea97bfc71d5ae02b038d6e089f3a103f79d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e23cdc292f7abd52c0832b3d7e2c0ea97bfc71d5ae02b038d6e089f3a103f79d
SHA3-384 hash: 27b63059c241ee148f1b2b3231864f9ecae6680372c57e15feec262d95cfa6b852c1c964144b0ae1509113a9a38fce78
SHA1 hash: 1f058641f01095275f965255e7732caa1da2a339
MD5 hash: a2430301a7488eb748837b9c48d00efb
humanhash: monkey-nuts-april-mars
File name:TOP URGENT RFQ FOR MARCH2021MXZ232.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'300'480 bytes
First seen:2021-03-01 07:29:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:9oXP94gPGOGiKCckyrYjQc717hVrzdtqwhSUz4l:s2MPGiK2yLc5VtqwQUy
Threatray 3'827 similar samples on MalwareBazaar
TLSH 08557C0223D89F68F53A9335A629C62487F5BC07EB34D95C7DE039DF2672F818662712
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TOP URGENT RFQ FOR MARCH2021MXZ232.exe
Verdict:
No threats detected
Analysis date:
2021-03-01 07:35:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36b3c3b3-2061-4a10-9539-8d3743555006

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120140/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621751
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359864 Sample: TOP URGENT RFQ FOR MARCH202... Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 33 www.votelawandorder.com 2->33 35 www.fordleonmartinica.com 2->35 37 2 other IPs or domains 2->37 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 11 TOP URGENT RFQ FOR MARCH2021MXZ232.exe 3 2->11         started        signatures3 process4 file5 31 TOP URGENT RFQ FOR...H2021MXZ232.exe.log, ASCII 11->31 dropped 14 TOP URGENT RFQ FOR MARCH2021MXZ232.exe 11->14         started        17 TOP URGENT RFQ FOR MARCH2021MXZ232.exe 11->17         started        process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 19 explorer.exe 14->19 injected process8 dnsIp9 39 zu136.com.lv1174.faipod.com 45.249.246.216, 49727, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK Hong Kong 19->39 41 pragmafind.net 185.151.237.132, 80 M247GB Iran (ISLAMIC Republic Of) 19->41 43 15 other IPs or domains 19->43 57 System process connects to network (likely due to code injection or exploit) 19->57 23 msdt.exe 12 19->23         started        signatures10 process11 dnsIp12 45 www.pragmafind.net 23->45 47 pragmafind.net 23->47 59 Modifies the context of a thread in another process (thread injection) 23->59 61 Maps a DLL or memory area into another process 23->61 63 Tries to detect virtualization through RDTSC time measurements 23->63 27 cmd.exe 1 23->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e23cdc292f7abd52c0832b3d7e2c0ea97bfc71d5ae02b038d6e089f3a103f79d/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 02:44:35 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4i6nykjppk6vfqedfm6x4laovf57y4ovvyblaogw4ce7hiid66oq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e
Formbook
149bc7bb666f2eabcf946822bd316709ddeeef787f059687415f98c71ad47783
Formbook
2bec4da3283f4d9329b155c12e5ee6f5f8943bb43d9e66c1767b877b89a19063
Formbook
3a220e6bff537b270991d1bb49e530c7279fb643f8a9b5998bbefae6140a19f4
Formbook
4cced354a0867338e39875526796861c483e8475bdacd117dd34ad1c2d89ec63
Formbook
5babb878615fbf3b56008f4d7becccdb0a316e3eecb95ce99ea2a6c9d5a8a19a
Formbook
962717277827f35c7e785410f493c8adb708a13fb16717a29c3b01b2edcb35ac
Formbook
a0a24af1d7eaf3c0066b417f3f631327af37f5e1e3ee8f79019bade1f700ef69
Formbook
a3327c95da3017b7f9f87eeeef8ccba7373e363facad5024432b7aba20a9b832
Formbook
e5ff1fccc213b922956415d980bbbf9318b17834761d629b23448ab14868812e
Formbook
+ 3'817 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210301-7jdtpna31e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.positivemotivator.com/b3pu/
Unpacked files
SH256 hash:
68b716109ff4e18e21bd0acacb3796f7930771d19f6a766d7d3aa0bbde4ce7e0
MD5 hash:
a3d1d373062f59282307d4b9966d702b
SHA1 hash:
60c9c330e6ff63d3e0b3b0b700ac37bde5997ced
Link:
https://www.unpac.me/results/f6614996-8f4f-4944-b292-1361e73b04ff/
SH256 hash:
e23cdc292f7abd52c0832b3d7e2c0ea97bfc71d5ae02b038d6e089f3a103f79d
MD5 hash:
a2430301a7488eb748837b9c48d00efb
SHA1 hash:
1f058641f01095275f965255e7732caa1da2a339
Link:
https://www.unpac.me/results/f6614996-8f4f-4944-b292-1361e73b04ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e23cdc292f7abd52c0832b3d7e2c0ea97bfc71d5ae02b038d6e089f3a103f79d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/120140/

Comments