MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec56eaed4e42de73eb1f44c29d4a43bdadc6e4b2ad38456d62d7e81675469a5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec56eaed4e42de73eb1f44c29d4a43bdadc6e4b2ad38456d62d7e81675469a5e
SHA3-384 hash: 8ac068d5de0ba37e20eb84263dd371fc563326d7ba25e600eaabcaf1d834564fb1af823f5a456deea8212ff6c407725f
SHA1 hash: 0ceac77310a375a245f77c886f036c5dcb3d1196
MD5 hash: 240f72ba898fd62267183f00c67e8a44
humanhash: burger-hawaii-magnesium-romeo
File name:6024180.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:51'200 bytes
First seen:2022-03-17 13:40:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:tcD5x14gFhznQUbYUugVxlmMwCK/3deVDg:tKnRjpV630VDg
Threatray 14'464 similar samples on MalwareBazaar
TLSH T13B33070A789A9609D6D4BFFC99F1A58652767CE10020C14FACF97F1AAA33323DCC525D
File icon (PE):PE icon
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
6024180.exe
Verdict:
Malicious activity
Analysis date:
2022-03-18 00:33:50 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/d773c5c9-cc30-4929-99da-b5da96b9f76c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251957/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62333a730cd58dbd92aeb786/reports/f9443d3a-3a55-4ed3-b06a-ff5598d3bf5f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10876b78-2637-4e26-bcf5-7e5e7fafaf79
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958754
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 591233 Sample: 6024180.exe Startdate: 17/03/2022 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 8 other signatures 2->78 10 6024180.exe 16 7 2->10         started        process3 dnsIp4 62 cdn.discordapp.com 162.159.130.233, 443, 49759 CLOUDFLARENETUS United States 10->62 56 C:\Users\user\AppData\...\Znludbfxl.exe, PE32 10->56 dropped 58 C:\Users\...\Znludbfxl.exe:Zone.Identifier, ASCII 10->58 dropped 60 C:\Users\user\AppData\...\6024180.exe.log, ASCII 10->60 dropped 88 Writes to foreign memory regions 10->88 90 Allocates memory in foreign processes 10->90 92 Injects a PE file into a foreign processes 10->92 15 MSBuild.exe 10->15         started        18 cmd.exe 1 10->18         started        file5 signatures6 process7 signatures8 106 Modifies the context of a thread in another process (thread injection) 15->106 108 Maps a DLL or memory area into another process 15->108 110 Sample uses process hollowing technique 15->110 112 2 other signatures 15->112 20 explorer.exe 1 15->20 injected 23 conhost.exe 18->23         started        25 timeout.exe 1 18->25         started        process9 signatures10 80 Uses netsh to modify the Windows network and firewall settings 20->80 27 Znludbfxl.exe 14 4 20->27         started        31 Znludbfxl.exe 3 20->31         started        33 svchost.exe 20->33         started        35 3 other processes 20->35 process11 dnsIp12 64 162.159.135.233, 443, 49775, 49776 CLOUDFLARENETUS United States 27->64 66 cdn.discordapp.com 27->66 94 Multi AV Scanner detection for dropped file 27->94 96 Machine Learning detection for dropped file 27->96 98 Writes to foreign memory regions 27->98 37 MSBuild.exe 27->37         started        40 cmd.exe 27->40         started        68 192.168.2.1 unknown unknown 31->68 70 cdn.discordapp.com 31->70 100 Allocates memory in foreign processes 31->100 102 Injects a PE file into a foreign processes 31->102 42 MSBuild.exe 31->42         started        44 cmd.exe 31->44         started        46 MSBuild.exe 31->46         started        104 Tries to detect virtualization through RDTSC time measurements 33->104 signatures13 process14 signatures15 82 Modifies the context of a thread in another process (thread injection) 37->82 84 Maps a DLL or memory area into another process 37->84 86 Sample uses process hollowing technique 37->86 48 conhost.exe 40->48         started        50 timeout.exe 40->50         started        52 conhost.exe 44->52         started        54 timeout.exe 44->54         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec56eaed4e42de73eb1f44c29d4a43bdadc6e4b2ad38456d62d7e81675469a5e/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 13:39:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rlov3koilphh2y7itbj2ssdxww4nzfsvu4ek3lc27ubm5kgtjpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b7b92e40a75e7c96676e65733f2babfdf0c37529c130619510b2b0b7879a697
Formbook
35b9a28eb1037b1792db91b28257ac604ff7de9a12dd93f9ae658e73cbd97fdb
Formbook
38444024682d6ea391135d374ecd6f457bb01df512801e25fcbd2931afe58d92
Formbook
4c6c6d26b853d44fc189e67eaa4f65e440d6ee75ac8a5bde95ccc73b0b611c2a
Formbook
6f0508408689f77795e27f5320115355744c6b7d02cf59197dae8646bc73f267
Formbook
747f948dea9afe0caf124dfbda7a3dad32851baf62d502ded5d6d0b560bca033
Formbook
b81070ab1c53b68f110a8127a7b1bc7fc83d9726c50e787949cac94f809bd92d
Formbook
cb50c19d2d18350fed8304ddb50efe3ce6f17d9f5923ffa5d407db718f787c92
Formbook
cee2290e27d378faacd5a9ab5fc579e912c1ecee9db29e4e79d8b9cd7ee10c94
Formbook
dae8588b604d0728a1a1ecc77096197a34ed1b22ae7de69a53f39b59e6574ffd
Formbook
+ 14'454 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:s9m1 loader persistence rat
Link:
https://tria.ge/reports/220317-qy4f2aeeg4/
Behaviour
Delays execution with timeout.exe
Gathers network information
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
ec56eaed4e42de73eb1f44c29d4a43bdadc6e4b2ad38456d62d7e81675469a5e
MD5 hash:
240f72ba898fd62267183f00c67e8a44
SHA1 hash:
0ceac77310a375a245f77c886f036c5dcb3d1196
Link:
https://www.unpac.me/results/f80fdb5e-c2af-41ec-bff5-7c3752dcf7ef/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ec56eaed4e42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/ec56eaed4e42de73eb1f44c29d4a43bdadc6e4b2ad38456d62d7e81675469a5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/251957/

Comments