MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500
SHA3-384 hash: 8f521147dd3fcaaecadb438025dfad57627f399800b214e012d04b1d909ddb36d114c46c442d30ee1247274270ab97ab
SHA1 hash: 03babc1e2648c8d6bf5547248c63639faca00de0
MD5 hash: 7b429c29a5d488db61e5c22bbb162293
humanhash: double-alaska-leopard-princess
File name:7b429c29a5d488db61e5c22bbb162293
Download: download sample
Signature Formbook
Create hunting rule
File size:618'496 bytes
First seen:2023-08-03 07:27:55 UTC
Last seen:2023-08-03 08:49:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:ag7JYbpMObBAwW0eieg55hEkYegq8pppPF7D2DjIFTrjcRk3ZimjgVuqxU:ag7ClMoAwte85HIzbDYIFvjcRk3ZiSgj
Threatray 3'712 similar samples on MalwareBazaar
TLSH T107D4028463E4623BF5BF37B26D3000410A72BABE7696D7EF488434CFA566B4109657B3
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
f453b83cb4f6c27b4796816e0f628abf
Verdict:
Malicious activity
Analysis date:
2023-08-03 05:57:22 UTC
Tags:
exploit cve-2017-11882 loader formbook xloader
Link:
https://app.any.run/tasks/a38fde45-ad40-4c27-89c4-2d996ad155cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/440020/
Detection(s):
SecuriteInfo.com.Variant.Ser.Lazy.4636.2839.5228.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64cb570b58785b2ae2188a31/reports/d9a7b1d2-cec5-49a0-ab88-ea0220ef740d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f182fd62-90dc-4167-91f6-4d04fbb03b72
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284927
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1284927 Sample: aiSqzaemXr.exe Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 44 www.353aa.com 2->44 46 newt10.aa301301.com 2->46 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 8 other signatures 2->60 11 aiSqzaemXr.exe 3 2->11         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\aiSqzaemXr.exe.log, ASCII 11->40 dropped 74 Tries to detect virtualization through RDTSC time measurements 11->74 76 Injects a PE file into a foreign processes 11->76 15 aiSqzaemXr.exe 11->15         started        18 aiSqzaemXr.exe 11->18         started        20 aiSqzaemXr.exe 11->20         started        signatures6 process7 signatures8 78 Modifies the context of a thread in another process (thread injection) 15->78 80 Maps a DLL or memory area into another process 15->80 82 Sample uses process hollowing technique 15->82 84 Queues an APC in another process (thread injection) 15->84 22 explorer.exe 1 1 15->22 injected process9 dnsIp10 48 www.aqpqt.top 38.40.241.149, 49706, 49707, 49708 COGENT-174US United States 22->48 50 y3.zlnxo3-u.ty3w.net 47.243.186.123, 49703, 49704, 49705 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 22->50 52 2 other IPs or domains 22->52 62 System process connects to network (likely due to code injection or exploit) 22->62 64 Performs DNS queries to domains with low reputation 22->64 26 svchost.exe 19 22->26         started        signatures11 process12 file13 36 C:\Users\user\AppData\...\337logrv.ini, data 26->36 dropped 38 C:\Users\user\AppData\...\337logri.ini, data 26->38 dropped 66 Detected FormBook malware 26->66 68 Tries to steal Mail credentials (via file / registry access) 26->68 70 Tries to harvest and steal browser information (history, passwords, etc) 26->70 72 3 other signatures 26->72 30 cmd.exe 2 26->30         started        signatures14 process15 file16 42 C:\Users\user\AppData\Local\Temp\DB1, SQLite 30->42 dropped 86 Tries to harvest and steal browser information (history, passwords, etc) 30->86 34 conhost.exe 30->34         started        signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-08-01 18:40:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wcutbglpds44s6mgetd4kinrfnt3zdgb2d6b5npcfoltnqlkuaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
142f8b22d894f1fee4c501acbc425edec276004d5d30ab7572cdfab85e89ad12
Formbook
16dbc44d14a74defb998a30220b5401ab840e1590e895a3ed5b2cb96b4c3a3c3
Formbook
2016dcdb738fdd4dbcc09bad9e63604259b3b43ff2df2c9a5fc8d26d0cf6ca4c
Formbook
3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b
Formbook
a72b08c35805f2191b29d691f93f58eb33d1c827c2fb94029f3f5d760a1af950
Formbook
c2dd815bb0c85f84951aba3b5da301cf81004d45bc87a8920464d7938aab7f56
Formbook
e57304555042d5835094d3ee4cdbcfc713e089f1af6b6764c76673a43c34c971
Formbook
ea370765d72286adf1310958539f8caed1eeab11b23644b4f0672840e3c937af
Formbook
fa3a477577604a91938f7650b04d3dfaa1d8ec12578d3bb2618817529c8b5797
Formbook
+ 3'702 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fd62 rat spyware stealer trojan
Link:
https://tria.ge/reports/230803-janx4sdc2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
687c4e45e5982b8eeb6cb000873520718e01fe0074afd1161c0cdd88d25f82d4
MD5 hash:
98ad3d5e6d1e51f897074a078d47aa5a
SHA1 hash:
36db57c741b3aecddb0bad18e0724ed7dd05a675
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6feb8cba-c13a-4f92-bfee-233885afa620/
Parent samples :
e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500
63b0410652da12f415ba3be83cda769bd268b83000c425f666fbefb4fddbf3be
d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5
344b3c764a7075a0cdc2a9cd3f390c6b195fc0601077f68db9e8678a27c0c204
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/6feb8cba-c13a-4f92-bfee-233885afa620/
SH256 hash:
24628359af990dcf6ea839659798f369f7e7bf943a5a2371b14187a64136e2c9
MD5 hash:
84d99df143a439a783f7c372086698dd
SHA1 hash:
2df362fe4620a2c7f4415fbf1e3c4c2a5cd394df
Link:
https://www.unpac.me/results/6feb8cba-c13a-4f92-bfee-233885afa620/
SH256 hash:
40821038dd9a8a0c85f1c5898dcdd8fac1499e0b569ddfbadffe1c6ceb0aa03b
MD5 hash:
71ff3a9613b8d58debedc2742c43def3
SHA1 hash:
17cc80f177b9baa3f97024e6c7606961aaf36e37
Link:
https://www.unpac.me/results/6feb8cba-c13a-4f92-bfee-233885afa620/
SH256 hash:
e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500
MD5 hash:
7b429c29a5d488db61e5c22bbb162293
SHA1 hash:
03babc1e2648c8d6bf5547248c63639faca00de0
Link:
https://www.unpac.me/results/6feb8cba-c13a-4f92-bfee-233885afa620/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5854984cb78/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2696868/
Cape
Cape
https://www.capesandbox.com/analysis/440020/

Comments


Avatar
zbet commented on 2023-08-03 07:27:55 UTC

url : hxxp://2.59.254.18/_errorpages/defounderzx.exe