MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaf8e616d7608cb817b693d98b74cc185071ed8cae8baf803c377a43080b8d67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaf8e616d7608cb817b693d98b74cc185071ed8cae8baf803c377a43080b8d67
SHA3-384 hash: a2da62976a15913a81bef1df331305a75b1225145608d2e16eda851bb7fa8be4a972a063faf87d7ef45100ac62b08be9
SHA1 hash: ec45caf6bdf2694b3dca481eae7a9c62a16ce84e
MD5 hash: 82bb851b1eed9c0d6734c8dc6a098dba
humanhash: idaho-saturn-florida-tennessee
File name:MXAcN2l7MCqRLNY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:894'976 bytes
First seen:2022-02-14 15:25:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Uyh1FeLZRHFQIpQtP8+4CLZhYtIR4X9mEqfRjsIkZ2K:91FetRvU0CKW4X9WRjFK
Threatray 13'391 similar samples on MalwareBazaar
TLSH T1A3151209BBA2E515C5620BBAE8D052516F74EE2E4087C3BF744C3ECD2FAB3994532536
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241408/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.49799.736.23630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620a748e289e2f3e4fd9b428/reports/39237004-4a69-4fd0-957a-a34b33f0d958/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b369900c-fb25-4834-9d1c-43162078852e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939482
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 571958 Sample: MXAcN2l7MCqRLNY.exe Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 31 canonicalizer.ucsuri.tcs 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 5 other signatures 2->39 11 MXAcN2l7MCqRLNY.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\MXAcN2l7MCqRLNY.exe.log, ASCII 11->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 15 MXAcN2l7MCqRLNY.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 process10 20 wlanext.exe 18->20         started        signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        25 explorer.exe 1 145 20->25         started        process12 process13 27 conhost.exe 23->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eaf8e616d7608cb817b693d98b74cc185071ed8cae8baf803c377a43080b8d67/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 08:59:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5l4omfwxmcglqf5wspmyw5gmdbihd3mmv2f27ab4g55egcalrvtq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2a170cc5086a00b41ce8ff4bcf8fce45f85aef342d4cf4d08f018943cc5221ac
Formbook
3d1c26a55a0b7a502b019b18f4b6e87c1273d3c42a50d20c958d510f530c5f40
Formbook
3e744c3094645bf04cea5756fe54d7b04a32a59bed5d945ac4ccc9b06fb85ef5
Formbook
8e133618d88f4eb1975953fc0ef639a7192f7fea403f5a777a698a4631f741a6
Formbook
9774f8078d941b17f5018bf3759bca9e62cfe4714ed55d5bd33737fcbba25ce3
Formbook
9bceb9680d39094087add5289a7e19aa93168faf9c5f2465700b117d59e8d841
Formbook
a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5
Formbook
aa067750ad705a1b6176cb6f3f91466c9d5c2ee4457c2466b995bef70c04b240
Formbook
ccf47d9fd0a0ddce06c265b87f0e2377bb58107c18659ac908b7e3a5731ad081
Formbook
d6a113f33599b8c821531df91dc5cd29501cab9fa911b8844a3447d0991e7362
Formbook
+ 13'381 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ufpm loader rat suricata
Link:
https://tria.ge/reports/220214-st7c8sbbdq/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader
Unpacked files
SH256 hash:
0f59e81aa6ee6a72e52273ad320bd48a0a24e93d846173fb12959fb04591a6ba
MD5 hash:
4189b22f033883705595b73f5d983ca9
SHA1 hash:
14f00a2b30b5ff4063e6e98c8a4070fb3a06663c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/68895cbb-07ef-47ad-9b4e-e5db78342205/
Parent samples :
eaf8e616d7608cb817b693d98b74cc185071ed8cae8baf803c377a43080b8d67
75e52fcffe8c57f96f521a16c80c3cfc75770ecd0f929cb88d1d4ed6f9d6e923
6c07430c9d1395b644fd2ee312b6df3d7509a04a29065e31301e722c1ad00178
70c6fd4de902c8ccce31380698b123def84b4d209c8b824e1065349a5aee9de2
52c0e61d96bee61df6c543a1d38835bf8cb4691f777fd2e81bc377543a53ef24
SH256 hash:
3aea9a40bbe8455a4149fd9b0536684cd030779e84b6b2f8904252ed18219e7f
MD5 hash:
f7372d56c1935d4728c4a88b3e35b240
SHA1 hash:
ee1e4b6bed62bec0c4cc2dd1880329395622adc0
Link:
https://www.unpac.me/results/68895cbb-07ef-47ad-9b4e-e5db78342205/
SH256 hash:
be9cf38aa803a518a1c9e630f8efa7ed2927759a46fa1cfa35278c602214ebfc
MD5 hash:
05a496104864a8e19172b88806dae5bf
SHA1 hash:
c81a69e853822706e81812f29bad268766fb072f
Link:
https://www.unpac.me/results/68895cbb-07ef-47ad-9b4e-e5db78342205/
SH256 hash:
3ca74eb4ce4c2c5604dc298949ae47996d93063abfde0682d689205561d17d44
MD5 hash:
4e35b541f3d9162d0ac93d336df67779
SHA1 hash:
bb9e65761186806d4bada659e9d5db0c070501d4
Link:
https://www.unpac.me/results/68895cbb-07ef-47ad-9b4e-e5db78342205/
SH256 hash:
eaf8e616d7608cb817b693d98b74cc185071ed8cae8baf803c377a43080b8d67
MD5 hash:
82bb851b1eed9c0d6734c8dc6a098dba
SHA1 hash:
ec45caf6bdf2694b3dca481eae7a9c62a16ce84e
Link:
https://www.unpac.me/results/68895cbb-07ef-47ad-9b4e-e5db78342205/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/eaf8e616d760/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaf8e616d7608cb817b693d98b74cc185071ed8cae8baf803c377a43080b8d67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe eaf8e616d7608cb817b693d98b74cc185071ed8cae8baf803c377a43080b8d67

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241408/

Comments