MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebceba62910d7167907d9ece3bdce1dacdf778e82d07801478e0240621100b25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebceba62910d7167907d9ece3bdce1dacdf778e82d07801478e0240621100b25
SHA3-384 hash: d542ec34de957849a8f5f7ed7dc1fce46d7b1e40799addd7fa7bfe00a0a9c31b9dc74b8b29bed376031b08d3cc54a3c7
SHA1 hash: 96b62057be687eef380d5d580003719aa5c6f32d
MD5 hash: 4a18a824aecef26f86a454b0a568ed55
humanhash: lemon-idaho-berlin-orange
File name:4a18a824aecef26f86a454b0a568ed55
Download: download sample
Signature Formbook
Create hunting rule
File size:891'904 bytes
First seen:2021-08-10 14:42:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:uWK3n3qGaNHEyC9/oR9gy5FHK7zMQSGedS0N2hIbUKf8DZAiMKRT1VOeJLz2HVJ0:uWKnPp9AR95yv0dS0wIP8DZAiLT1FU0
Threatray 7'556 similar samples on MalwareBazaar
TLSH T1FB15024723809393C415AB37189AA3970675E9D8DBA1DEED3882742E1DF7341CE17BA3
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4a18a824aecef26f86a454b0a568ed55
Verdict:
Malicious activity
Analysis date:
2021-08-10 14:46:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a2e1e080-7950-49c1-8710-c2cf8e407b0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178000/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.2343.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16b3d04a-cbe7-4c1c-90ad-0c082426ed2b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830271
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462723 Sample: 2Cq2aYdh4u Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 31 www.justiceforfitz.com 2->31 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 11 2Cq2aYdh4u.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\2Cq2aYdh4u.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 2Cq2aYdh4u.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.tipsnp.com 172.67.182.55, 49743, 80 CLOUDFLARENETUS United States 18->33 35 shops.myshopify.com 23.227.38.74, 49740, 80 CLOUDFLARENETUS Canada 18->35 37 7 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 colorcpl.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ebceba62910d7167907d9ece3bdce1dacdf778e82d07801478e0240621100b25/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 14:43:06 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0be0e163dc73ff0278c2a645bb15a50db6e59bf1aa293dd718c96c27f73f8db7
Formbook
4634683041f3a17fd3e66e086f2730d0f130bcbb0cd55594a697f140a43f87be
Formbook
5023ffb96d6d21805c48f275dbb208a1671ab8dd7f3c170ca4dba1ac08c075f9
Formbook
68fa77befde4e147cc7bc2fb142306a94245adb49c4ccca175f12f29414ce3d1
Formbook
930ff364210f0d0e18cf5ead705f1b8724512ebf556cf4c64dc69783d7a66197
Formbook
b5e2b52a984579c7f0aa92d0acaa6eef67f06af5330857ba98a62345edd59908
Formbook
bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb
Formbook
cac668b50ea54195a30a9a5bfb64ff95fcc22db46c6f3c993581911c332cfbea
Formbook
db49dbfeed349b8c5ac59aab65bd065a7e9d90a1a45bcee96301fae6cfd508ef
Formbook
f952aa1436789095d76fe6a50ff7ea387aef9751e9b6f0130fcb203040881570
Formbook
+ 7'546 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ixwn loader rat
Link:
https://tria.ge/reports/210810-8gqdhgrcxx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.fevvwji.icu/ixwn/
Unpacked files
SH256 hash:
ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc
MD5 hash:
6057ce35bd926dd6d49dedfa9cc18372
SHA1 hash:
1f4e44e1740ffbd91129ac3a37d22845bc52c158
Link:
https://www.unpac.me/results/ceec9ffa-dbd1-4dae-ac4f-f088d4acb4cb/
SH256 hash:
e50fd004566508432fc3d18cecacfefd220a110003d5b91e74d5c231830f3007
MD5 hash:
2a9cc40ccf2c4670612fc8599ec3023e
SHA1 hash:
fda811658d73da2ed8b1f0d4cb352f9dd81e6708
Link:
https://www.unpac.me/results/ceec9ffa-dbd1-4dae-ac4f-f088d4acb4cb/
SH256 hash:
40875325c8de30360d933cac72cc7f79eb72b3bed993b1a3d153c970dc0c1a82
MD5 hash:
0761fe3886492a1428863ffd1487c562
SHA1 hash:
3230f2b55bce854edaaf6852c57742a3a9884569
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ceec9ffa-dbd1-4dae-ac4f-f088d4acb4cb/
Parent samples :
db49dbfeed349b8c5ac59aab65bd065a7e9d90a1a45bcee96301fae6cfd508ef
ebceba62910d7167907d9ece3bdce1dacdf778e82d07801478e0240621100b25
2289ed4365f6de6fbfc6b2faa52cc0e0e4f898468ba079b3f58e29d9a73e49c7
SH256 hash:
ebceba62910d7167907d9ece3bdce1dacdf778e82d07801478e0240621100b25
MD5 hash:
4a18a824aecef26f86a454b0a568ed55
SHA1 hash:
96b62057be687eef380d5d580003719aa5c6f32d
Link:
https://www.unpac.me/results/ceec9ffa-dbd1-4dae-ac4f-f088d4acb4cb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ebceba62910d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ebceba62910d7167907d9ece3bdce1dacdf778e82d07801478e0240621100b25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ebceba62910d7167907d9ece3bdce1dacdf778e82d07801478e0240621100b25

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1522103/
Cape
Cape
https://www.capesandbox.com/analysis/178000/

Comments


Avatar
zbet commented on 2021-08-10 14:42:57 UTC

url : hxxp://202.55.133.158/windows/.wininit.exe