MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e758bb48c928adf5efd0f20fe9225beb1d6a6dfea2961caff1f9444ae8ac9e87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e758bb48c928adf5efd0f20fe9225beb1d6a6dfea2961caff1f9444ae8ac9e87
SHA3-384 hash: 6643b21005a9169c1e989c1c60640b4aa1b606e055c11c075adf45834c2f056432c376a95702c7d550b1f7f2eed5fd3c
SHA1 hash: 7032fa9c269bf96815c522e32a5af7351af7a69f
MD5 hash: a026e370552fdc1f715cf46f9609a058
humanhash: william-river-india-hawaii
File name:triage_dropped_file
Download: download sample
Signature Formbook
Create hunting rule
File size:667'648 bytes
First seen:2021-12-01 12:54:20 UTC
Last seen:2021-12-01 14:41:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:meIHUoJJE1rt0aIxr6xT/aAMJXWn7FSt0tkshMH3lTxYoLW2wbA:meIHUfW9OxMJsgqtFmH5xZlwb
Threatray 11'952 similar samples on MalwareBazaar
TLSH T11BE413613A744B26D9B807F9907258D257FAB63E21A0D6880FC9B5CF0937F5C8B14E83
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
triage_dropped_file
Verdict:
Suspicious activity
Analysis date:
2021-12-01 12:58:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d82e272-5887-43b3-9346-c75bdfb72279

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210308/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1124.5610.28735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a770ad86bf67e7121d4c26/reports/72a4c9dc-ca69-4dc6-80a4-975e952219fb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1acabbfa-e87e-4192-b094-4f1631a352c8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899393
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 531867 Sample: triage_dropped_file Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Yara detected AntiVM3 2->36 38 4 other signatures 2->38 10 triage_dropped_file.exe 3 2->10         started        process3 signatures4 48 Tries to detect virtualization through RDTSC time measurements 10->48 50 Injects a PE file into a foreign processes 10->50 13 triage_dropped_file.exe 10->13         started        16 triage_dropped_file.exe 10->16         started        process5 signatures6 52 Modifies the context of a thread in another process (thread injection) 13->52 54 Maps a DLL or memory area into another process 13->54 56 Sample uses process hollowing technique 13->56 58 Queues an APC in another process (thread injection) 13->58 18 explorer.exe 13->18 injected process7 process8 20 mstsc.exe 18->20         started        signatures9 40 Self deletion via cmd delete 20->40 42 Modifies the context of a thread in another process (thread injection) 20->42 44 Maps a DLL or memory area into another process 20->44 46 Tries to detect virtualization through RDTSC time measurements 20->46 23 explorer.exe 1 174 20->23         started        26 cmd.exe 1 20->26         started        process10 dnsIp11 30 192.168.2.1 unknown unknown 23->30 28 conhost.exe 26->28         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e758bb48c928adf5efd0f20fe9225beb1d6a6dfea2961caff1f9444ae8ac9e87/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 12:55:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45mlwsgjfcw7l36q6ih6sis35mowu3p6uklbzl7r7fcev2fmt2dq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
060c2f164a53cf74817b9b2f176d770dbde8b1ef71fe5322abf9ae8197232b7d
Formbook
1bdc41058e53e885ccf81cf42ddac59733b6608f40719017dde98ac33ed8b8f5
Formbook
8ab0631733cbd75ee80236daf25af3a79d6c2471c2c5b3f354407f92101bea28
Formbook
9136c283e5029c2f073b706014f6f73b67ead84450267cb5ce0dd26cbcecaa25
Formbook
a104d6d98afd1eca774c2b8b12aee19bbc52216a358d9bf00ebfb503ef8e553d
Formbook
aaf0400f83fd271800e1f4cb50fab438958eb3771a6b6a9401c5fa66c1c5b956
Formbook
b2663af445ff18476795d3462841a45488a9f2fd53c92d0c798e2e24892e10ae
Formbook
bd7cddd657e0144076352a60664ca134c2ddee8ffe8da70793d5b97f17cf9318
Formbook
f0a7f92f4fa639da7f829e82242a21aa8861bc98f1783b51638e04dc148e81b5
Formbook
ff50a282945cb9b5a738f97aa08714f874469eaa4ed79fcd0c5fd0c12d6a4be8
Formbook
+ 11'942 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:fqiq loader rat
Link:
https://tria.ge/reports/211201-p5sgnscbdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.esyscoloradosprings.com/fqiq/
Unpacked files
SH256 hash:
17384292c81f067f30530ec76c62adcadaf8bfcdb6e8cb7b90315ac3addc8330
MD5 hash:
59e997fc3264675ad9942422af2bc0fb
SHA1 hash:
af6fe49a87fa04fe46e20593a440d8120ef971c7
Link:
https://www.unpac.me/results/8a847fdd-445d-40d3-98e9-c0151a66fc89/
SH256 hash:
b19104b568ca3ddccc2a8d3d10ecddb1ea240171e798dc3a486292cfa14b6365
MD5 hash:
7b0900da932f4ed9630d65b04422736d
SHA1 hash:
6fa340436e3a8e73ae2b3e911f861483183c68ef
Link:
https://www.unpac.me/results/8a847fdd-445d-40d3-98e9-c0151a66fc89/
SH256 hash:
e758bb48c928adf5efd0f20fe9225beb1d6a6dfea2961caff1f9444ae8ac9e87
MD5 hash:
a026e370552fdc1f715cf46f9609a058
SHA1 hash:
7032fa9c269bf96815c522e32a5af7351af7a69f
Link:
https://www.unpac.me/results/8a847fdd-445d-40d3-98e9-c0151a66fc89/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e758bb48c928/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/e758bb48c928adf5efd0f20fe9225beb1d6a6dfea2961caff1f9444ae8ac9e87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210308/

Comments