MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6ced08f9d33a491dbfd37d5a8d81766fa63dda41f619eb8c7edb0ed3116047a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6ced08f9d33a491dbfd37d5a8d81766fa63dda41f619eb8c7edb0ed3116047a
SHA3-384 hash: 35080e0a656f324d40003bc696020ffb717302ad6ff1828445b77bcd59351ddbad2b05c8e949ddf08b253b13ae4ab03d
SHA1 hash: fd01c2a7b3260f95c3a8b4c11ff6a5ed960564c3
MD5 hash: 6dadb671c15cec39f7a0e03f397cafc2
humanhash: vermont-sierra-red-cup
File name:6dadb671c15cec39f7a0e03f397cafc2
Download: download sample
Signature Formbook
Create hunting rule
File size:298'680 bytes
First seen:2022-07-08 01:53:29 UTC
Last seen:2022-07-22 09:55:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:9II/LtvXq98oeKqHDtUSEx8OrDTX0eZrHv1ZN8MhCH1qEhNVPlqyEp71Hq:SN+ZfsrDTX/PbNbgNhHQ/K
Threatray 1'379 similar samples on MalwareBazaar
TLSH T14854CF2E73920A04D0981B78C1EB852967F3FB877377D78A3D4851DA4F117D18E8AB89
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Cerbu-9952791-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62c78e3e4412db52dbf5f7ee/reports/a0974515-8d1a-4d1d-b98d-d80ccbc0329a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7cc2cc6-01bc-46fd-9efa-4eaa7fdf1975
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1026875
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 659370 Sample: 5QMWmtuhP3 Startdate: 08/07/2022 Architecture: WINDOWS Score: 100 36 www.weddingseopro.com 2->36 38 www.trickwaves.com 2->38 40 5 other IPs or domains 2->40 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 6 other signatures 2->54 11 5QMWmtuhP3.exe 1 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\5QMWmtuhP3.exe.log, ASCII 11->34 dropped 72 Writes to foreign memory regions 11->72 74 Allocates memory in foreign processes 11->74 76 Injects a PE file into a foreign processes 11->76 78 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->78 15 cvtres.exe 11->15         started        signatures6 process7 signatures8 80 Modifies the context of a thread in another process (thread injection) 15->80 82 Maps a DLL or memory area into another process 15->82 84 Sample uses process hollowing technique 15->84 86 2 other signatures 15->86 18 explorer.exe 1 15->18 injected process9 dnsIp10 42 xe9b5mzzqzez5t.life 216.18.208.202, 49827, 80 WEBNXUS United States 18->42 44 www.shopcycles3.com 162.213.255.237, 49830, 80 NAMECHEAP-NETUS United States 18->44 46 9 other IPs or domains 18->46 56 System process connects to network (likely due to code injection or exploit) 18->56 58 Performs DNS queries to domains with low reputation 18->58 60 Uses netsh to modify the Windows network and firewall settings 18->60 22 netsh.exe 1 12 18->22         started        signatures11 process12 signatures13 62 Tries to steal Mail credentials (via file / registry access) 22->62 64 Creates autostart registry keys with suspicious names 22->64 66 Tries to harvest and steal browser information (history, passwords, etc) 22->66 68 3 other signatures 22->68 25 cmd.exe 2 22->25         started        28 cmd.exe 1 22->28         started        process14 signatures15 70 Tries to harvest and steal browser information (history, passwords, etc) 25->70 30 conhost.exe 25->30         started        32 conhost.exe 28->32         started        process16
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e6ced08f9d33a491dbfd37d5a8d81766fa63dda41f619eb8c7edb0ed3116047a/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-07-07 22:36:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=43hnbd45gosjdw75g7k2rwaxm35ghxned5qz5ogh5wyo2miwar5a._file
Verdict:
malicious
Similar samples:
0afd6d772b09767847f0635c5e1e56d51ab97997bcd5cf82701f2159195065e7
Formbook
0dbc37565a20d8e5d40c4c554a194719291bc91ab86db587337b580106f41cb8
Formbook
1e31f411b06517388b7adbcc5bc918f3985d447f710aa9711926faf68d044f9a
Formbook
3784bb68e2b32e01c7cfd7aa34d701d87b66626bac5e7e1f8f7c2603cbecf8a9
Formbook
6f1962f02a28d836a95e44947f589b0288b2af48204a04d9cf1cf3fb347a0c8a
Formbook
a10d82b52187d90d7046806ce0e24997b192d9862bbe843869a4046f1c5fe926
Formbook
ed8513c6110eb76682b8d8f69d3f181e1ee9092478390088d958b572709a44dd
Formbook
efc51781bc3e82733e68f330ce4905d57bd3188a3584faa693a18223f17ec7ff
Formbook
+ 1'369 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:n8it loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220708-cbjw8aceck/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds policy Run key to start application
Blocklisted process makes network request
Xloader payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
05a8ab9bfc1a265caeb257b4edee8feb7a5b3b653e6acb0f40bec9b1f15dd932
MD5 hash:
1d49791abb6a5558c95ddfa97fc2d205
SHA1 hash:
f525de3dceb15a4916c117638e82bc594c33fe4e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/d15b68be-8c54-473c-a447-24fb7b04aa41/
Parent samples :
1cbd3337b16b5bc9cf9a448349daf9b7d1667bc689d992af9d15c5af950852f9
154325f60d87e33962f45610a84bce0ec784d7e9bbcd584c34429b3e98b07ca7
d68fa1001c7c79b3a4c142875ded35be6b07025eabe4b6ad576c1c3d11054ac8
e6ced08f9d33a491dbfd37d5a8d81766fa63dda41f619eb8c7edb0ed3116047a
64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35
SH256 hash:
7b04702a288c844a238d3e2207e0182fe378df5fa8444d821f49127b6f42cff9
MD5 hash:
8c0c0247fb248c4c69c8a0ad9b389eb6
SHA1 hash:
9b0e830d84e91013e7af8fe6e17a7952b7be020e
Link:
https://www.unpac.me/results/d15b68be-8c54-473c-a447-24fb7b04aa41/
SH256 hash:
e6ced08f9d33a491dbfd37d5a8d81766fa63dda41f619eb8c7edb0ed3116047a
MD5 hash:
6dadb671c15cec39f7a0e03f397cafc2
SHA1 hash:
fd01c2a7b3260f95c3a8b4c11ff6a5ed960564c3
Link:
https://www.unpac.me/results/d15b68be-8c54-473c-a447-24fb7b04aa41/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6ced08f9d33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e6ced08f9d33a491dbfd37d5a8d81766fa63dda41f619eb8c7edb0ed3116047a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e6ced08f9d33a491dbfd37d5a8d81766fa63dda41f619eb8c7edb0ed3116047a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2255188/

Comments


Avatar
zbet commented on 2022-07-08 01:53:42 UTC

url : hxxp://103.114.105.24/receipt/vbc.exe