MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e261d9f28aad1bbd77d7fb3a1c66f7f80f9c11b853615302d5e6f7363a8dc282. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e261d9f28aad1bbd77d7fb3a1c66f7f80f9c11b853615302d5e6f7363a8dc282
SHA3-384 hash: 6a913bc9dd265901b79460d4e76201408d7d55c40d64c2a4de1fd277b7ea4a835306c9914dc5598c2ac31d3adce3395f
SHA1 hash: 1a89c3a67c16c8442f1114ee91b8922ea15bcf39
MD5 hash: a7f66fb0a1bc9824384b409aa7430ded
humanhash: cold-berlin-happy-angel
File name:SecuriteInfo.com.Variant.MSILHeracles.26997.7726.20843
Download: download sample
Signature FormBook
Create hunting rule
File size:1'242'112 bytes
First seen:2022-05-18 13:35:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:SJdT707LWCr01NJgElLBpNNDW6apvyjynhDiTbO5TwrDiIV21CPGRu1jJ42Dmx7s:SJqPrWLBxWVojyxkO6eIQ1CPGYjJBm9
Threatray 15'284 similar samples on MalwareBazaar
TLSH T14845F20DBEB08244C31878F69DD107A0C2705F5E82595B4E2EBFBA597472183CEE6D9E
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2609090e0e2e2608 (16 x Formbook, 2 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.MSILHeracles.26997.7726.20843
Verdict:
No threats detected
Analysis date:
2022-05-18 23:42:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dec00d5c-ae03-4e30-afdc-33d2831c9af7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272114/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26997.7726.20843.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b7fc4cd1-759a-4dcb-a4a1-70a506566de8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/996820
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 629316 Sample: SecuriteInfo.com.Variant.MS... Startdate: 18/05/2022 Architecture: WINDOWS Score: 100 44 127.0.0.1 unknown unknown 2->44 46 www.creditphilippines.com 2->46 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected UAC Bypass using CMSTP 2->62 64 6 other signatures 2->64 9 SecuriteInfo.com.Variant.MSILHeracles.26997.7726.exe 4 6 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 40 C:\Windows\Resources\Themes\...\svchost.exe, PE32 9->40 dropped 42 SecuriteInfo.com.V....26997.7726.exe.log, ASCII 9->42 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->66 68 Creates autostart registry keys with suspicious names 9->68 70 Creates an autostart registry key pointing to binary in C:\Windows 9->70 74 2 other signatures 9->74 18 runonce.exe 9->18         started        21 powershell.exe 24 9->21         started        23 powershell.exe 25 9->23         started        25 powershell.exe 9->25         started        72 Multi AV Scanner detection for dropped file 13->72 48 192.168.2.1 unknown unknown 15->48 file6 signatures7 process8 signatures9 50 Modifies the context of a thread in another process (thread injection) 18->50 52 Maps a DLL or memory area into another process 18->52 54 Tries to detect virtualization through RDTSC time measurements 18->54 56 Queues an APC in another process (thread injection) 18->56 27 explorer.exe 18->27 injected 30 conhost.exe 21->30         started        32 conhost.exe 23->32         started        34 conhost.exe 25->34         started        process10 signatures11 76 Drops executables to the windows directory (C:\Windows) and starts them 27->76 36 svchost.exe 27->36         started        38 svchost.exe 27->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e261d9f28aad1bbd77d7fb3a1c66f7f80f9c11b853615302d5e6f7363a8dc282/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 07:11:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jq5t4ukvun3256x7m5byzxx7ahzyenyknqvgawv433tmounykba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4daead502dfca41fa6e5789eb458e5bc60ed7da6c8af2229596e1e0697f50701
FormBook
4edaae9497ac7f59ed3af62e436c0f5f510c1ffd2437d44a68b70aa5219d7bc3
FormBook
6420ceb34588ec91292aa6fcaa2b77b99a4b492a009f51a409fd240d138c7856
FormBook
6f2d71733b4bcab1a04a40168f2900963a9f65c0081a6f1d1832d18b6bae16bb
FormBook
90e04c24a8b6d9e6fa70821c848c1ccd7ff1f1bc2c78d19c5bc2fa09838a436e
FormBook
ade283e1dc7b88a52ca2c0ac149af10ff68dff1709a27dd800936a7345cc6b56
FormBook
d1436252b743d1f522311de28d13a2ec5d8e399990f5c5c26f3479414076ee26
FormBook
e2682ee08233df5afc90d9295165ffed0373e4f34278d99d5a30622c2577639b
FormBook
f61f02c5be2ef5988f474ffc148b099942ab8582cd4aac8b3c991436f6230592
FormBook
+ 15'274 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ghu8 evasion persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220518-qv8lkschbp/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Windows security bypass
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
e261d9f28aad1bbd77d7fb3a1c66f7f80f9c11b853615302d5e6f7363a8dc282
MD5 hash:
a7f66fb0a1bc9824384b409aa7430ded
SHA1 hash:
1a89c3a67c16c8442f1114ee91b8922ea15bcf39
Link:
https://www.unpac.me/results/fab6d4e2-0fdf-4431-af06-037d787875dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/e261d9f28aad1bbd77d7fb3a1c66f7f80f9c11b853615302d5e6f7363a8dc282

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272114/

Comments