MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718
SHA3-384 hash: b4dc2b11525c33fc65a613744b4de641f2d4f509fa4e1fcdc29489e473346704c0599f76d9c2a3d215becadfb6151783
SHA1 hash: 8714ae6989ef49dd4563bfb6462e233739f269e7
MD5 hash: 1b225b72fbc08f95e76634dc39a25b1a
humanhash: comet-seventeen-winner-fish
File name:1b225b72fbc08f95e76634dc39a25b1a
Download: download sample
Signature Formbook
Create hunting rule
File size:654'848 bytes
First seen:2024-01-16 16:25:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:609d2iNjJz/IIHF3fKqHYTK80lwcAS05JgxGOkSBnIeEvu5Ni30VTCF6DJMw5iX:9n1NJz/IIHFv9HUKt05+xsSKeEvuWuVC
Threatray 682 similar samples on MalwareBazaar
TLSH T108D4220633E89F2AC6F563FAEE50662987F52444B0E5E7E41ED690DD48A07424F21F8F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
fbf8bddb02d20e99a608541ba4f1df03f8686d3a486b7f68efe24e7bbe5ac6b0.xls
Verdict:
Malicious activity
Analysis date:
2024-01-16 16:15:59 UTC
Tags:
maldoc opendir loader exploit cve-2017-11882 formbook xloader stealer spyware
Link:
https://app.any.run/tasks/4fbe83bc-898f-4210-9d01-7ece19e18e2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471162/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin packed
Link:
https://www.filescan.io/uploads/65a6ae24ec34a351d14f0d2c/reports/c138d65f-01af-4a94-9e86-5ed8b39c9d29/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cb05b03e-1d4c-461e-bc4c-34d0e15e9b3d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375530
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1375530 Sample: NfNXiX42uQ.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 53 www.threein.online 2->53 55 www.pchsedmonton.com 2->55 57 5 other IPs or domains 2->57 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 9 other signatures 2->79 11 NfNXiX42uQ.exe 7 2->11         started        15 SgbgCqDdp.exe 5 2->15         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming\SgbgCqDdp.exe, PE32 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmp7EDE.tmp, XML 11->51 dropped 87 Uses schtasks.exe or at.exe to add and modify task schedules 11->87 89 Adds a directory exclusion to Windows Defender 11->89 91 Tries to detect virtualization through RDTSC time measurements 11->91 17 NfNXiX42uQ.exe 11->17         started        20 powershell.exe 23 11->20         started        22 schtasks.exe 1 11->22         started        93 Multi AV Scanner detection for dropped file 15->93 95 Machine Learning detection for dropped file 15->95 97 Injects a PE file into a foreign processes 15->97 24 SgbgCqDdp.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 17->65 67 Maps a DLL or memory area into another process 17->67 69 Sample uses process hollowing technique 17->69 71 Queues an APC in another process (thread injection) 17->71 28 explorer.exe 2 1 17->28 injected 32 conhost.exe 20->32         started        34 WmiPrvSE.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        process9 dnsIp10 59 pchsedmonton.com 50.87.145.218, 80 UNIFIEDLAYER-AS-1US United States 28->59 61 www.ctbartab.com 50.3.11.189, 49713, 80 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 28->61 63 burduremlakilan.com 192.0.78.25, 49711, 80 AUTOMATTICUS United States 28->63 99 System process connects to network (likely due to code injection or exploit) 28->99 101 Uses netstat to query active network connections and open ports 28->101 40 NETSTAT.EXE 28->40         started        43 help.exe 28->43         started        signatures11 process12 signatures13 81 Modifies the context of a thread in another process (thread injection) 40->81 83 Maps a DLL or memory area into another process 40->83 85 Tries to detect virtualization through RDTSC time measurements 40->85 45 cmd.exe 1 40->45         started        process14 process15 47 conhost.exe 45->47         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2024-01-16 16:26:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4v5aaz3qycboccy5baq73lrqt5pxnnob7hzatknw5wxjbqj5y4ma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5
Formbook
6a14e79be0398899cfc53dc234f9e51f13705afe8b2cf15c404923bb6706ea09
Formbook
925fa037b496ed141df2f58ee1eddac36a26a9ec3bf6888c7e4066764fa0f51c
Formbook
982a9a52e532bbfe52941c4ab95c2899c1af75e9a3eee2b1977e3f49e8a3e71e
Formbook
acf37888f0f2f3d50b34287c2dcd04c50930dd5eb5892dadb75b65fa16136b31
Formbook
bbcaa127862b5b70b5a833b3136f431c03a9165dd0a4646ba78922ebcc7ebdc3
Formbook
ea5cca67b84c377c1c50e3e978fa2bcf6d178e8ce9cb23971c3304359b23e435
Formbook
f5fd6d272de7ed1db622c1e3fc51f5ce84338b700b94b7f86564e9f7f3de6b54
Formbook
fbf8bddb02d20e99a608541ba4f1df03f8686d3a486b7f68efe24e7bbe5ac6b0
Formbook
+ 672 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:jk56 rat spyware stealer trojan
Link:
https://tria.ge/reports/240116-tzdtjsfgd9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
d11f8f737cd2112109fd6187d12655c8716c260f85db450ade8bc9b93625880c
MD5 hash:
acc94d921e2d741d9e8a72c691ba1469
SHA1 hash:
31c879ca9e3bca67c608f865fb8e9f4d8b64e3d3
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/1dbe66e4-2227-4ead-a301-9021e8af9208/
Parent samples :
acf37888f0f2f3d50b34287c2dcd04c50930dd5eb5892dadb75b65fa16136b31
e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718
57bf60dae149215611af79b1ebeb1cfdd1d3a73d32e48035894971eb4a69566d
299fa2601344081d80079815643aad1bc5ac812031048754be53a3917308af1e
SH256 hash:
e4714c28c88f5c85fb302b29bd314e41c26b3ba56c79f27d2806a6834ee3d62f
MD5 hash:
81cd7f94f5f6ed4a2d0ade510ff973af
SHA1 hash:
b20aa05d3000b89759c14ccbd8bf5f8c4e1a27a6
Link:
https://www.unpac.me/results/1dbe66e4-2227-4ead-a301-9021e8af9208/
SH256 hash:
119be76ff4390d370daa0695493111bf5c86e5b847a5455b5cf8d8ff299d6264
MD5 hash:
49adf346f5d3461de63872ff50ff7ecf
SHA1 hash:
64f1bddf9d7fcbd5ca831f9bac1375a458012453
Link:
https://www.unpac.me/results/1dbe66e4-2227-4ead-a301-9021e8af9208/
SH256 hash:
21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818
MD5 hash:
440bb4db146ccb1161ac2bcf365d7676
SHA1 hash:
506eda511b46df6e95d86861e70fda81307f8623
Link:
https://www.unpac.me/results/1dbe66e4-2227-4ead-a301-9021e8af9208/
SH256 hash:
e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718
MD5 hash:
1b225b72fbc08f95e76634dc39a25b1a
SHA1 hash:
8714ae6989ef49dd4563bfb6462e233739f269e7
Link:
https://www.unpac.me/results/1dbe66e4-2227-4ead-a301-9021e8af9208/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e57a006770c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e57a006770c082e10b1d0821fdae309f5f76b5c1f9f209a9b6edae90c13dc718

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2749058/
Cape
Cape
https://www.capesandbox.com/analysis/471162/

Comments


Avatar
zbet commented on 2024-01-16 16:25:41 UTC

url : hxxp://172.245.208.28/1314/conhost.exe