MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e86f16b721dd16f293e9a5b160c05e01ea7c539b34d54dff55f4397c529cbabd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e86f16b721dd16f293e9a5b160c05e01ea7c539b34d54dff55f4397c529cbabd
SHA3-384 hash: 7e5245fe90f3efe2118aef00e7c78ca3801f0783775c6eeb319b7d1826bbdae67abe0a591153981aa23c0655811bcfe2
SHA1 hash: 5e9d55f3af7d1683d7bf4f42e8d3586921d8c845
MD5 hash: b8314926f037ce2189cbf2e45916447c
humanhash: emma-monkey-august-crazy
File name:Makbuz kopyası onaylandı 5.26.21.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:569'856 bytes
First seen:2021-05-26 07:39:29 UTC
Last seen:2021-05-26 09:18:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:L5s2UU47Qs/1bdfDWt4xunI+UEM+oX4iRyCEL2UJ4poMAIYB/smvTT8:9UUI/xdfD1uAEMRX4iRXE+
Threatray 5'265 similar samples on MalwareBazaar
TLSH FDC47CAC336075BEC4DFC5BA9B741EA8A624B876131FC503E85311B9991CA97CF344B2
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Makbuz kopyası onaylandı 5.26.21.exe
Verdict:
Malicious activity
Analysis date:
2021-05-26 09:23:49 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7d082814-9b10-486b-80af-188692a0911d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162305/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.EJA.genEldorado.6826.4300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792320
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 424719 Sample: Makbuz kopyas#U0131 onaylan... Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 33 www.wwwbarefootrvresort.com 2->33 35 www.alkawtherabudhabi.com 2->35 37 alkawtherabudhabi.com 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 11 Makbuz kopyas#U0131 onayland#U0131 5.26.21.exe 3 2->11         started        signatures3 process4 file5 31 Makbuz kopyas#U013...131 5.26.21.exe.log, ASCII 11->31 dropped 61 Injects a PE file into a foreign processes 11->61 15 Makbuz kopyas#U0131 onayland#U0131 5.26.21.exe 11->15         started        18 Makbuz kopyas#U0131 onayland#U0131 5.26.21.exe 11->18         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 15->20 injected process9 dnsIp10 39 www.moatme.com 74.220.199.9, 49731, 80 UNIFIEDLAYER-AS-1US United States 20->39 41 www.mightycaller.com 81.17.18.197, 49730, 80 PLI-ASCH Switzerland 20->41 43 4 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 24 wscript.exe 20->24         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 24->55 57 Maps a DLL or memory area into another process 24->57 59 Tries to detect virtualization through RDTSC time measurements 24->59 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e86f16b721dd16f293e9a5b160c05e01ea7c539b34d54dff55f4397c529cbabd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 07:30:30 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bxrnnzb3ulpfe7juwywbqc6ahvhyu43gtku372v6q4xyuu4xk6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
456614711c0a92e9455fc588f27889ee37c509b2f5e8c901d351346e8cf6140c
Formbook
4c84ae992216034d364ea35c6af5ee9c01826688106cf6bdbc32d6fc42584f62
Formbook
4d802d9e6ca2715f9181c8a3314dee02ef95901049bdc955e1b0a66eee2186d4
Formbook
4effc832d17d1b4d00e5b98bda9954f7c2684795db2451d4c2f056c84a0eff18
Formbook
8909a6a1081cf2202e33dbc0e496c5be450f360b8f2d63a05c8c671d5ffb00de
Formbook
8d27c368e6431f796a96389ac517d654ca3de20a6b9047095a47691532c7cf11
Formbook
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Formbook
ab6a4abae4d494b05d58dcf9a354231d3c7ae78fec4a62fc1f5559febdc3995c
Formbook
b9a1fe9efdf30fcb9880c9c06f7454179e57556e000ab5bca198bccca5623704
Formbook
e9a4a4d52dd0fa4d9536ef486a5a9e2213ca76c0edeb7be6a118e9c65571d37a
Formbook
+ 5'255 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210526-zvht6c7962/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.sistershantex.com/u2ni/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e86f16b721dd16f293e9a5b160c05e01ea7c539b34d54dff55f4397c529cbabd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e86f16b721dd16f293e9a5b160c05e01ea7c539b34d54dff55f4397c529cbabd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/162305/

Comments