MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec967cb2eeeb76c7acaba88e1c3eb6f5fa39cedb54b4edbb17eb0087977d21ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec967cb2eeeb76c7acaba88e1c3eb6f5fa39cedb54b4edbb17eb0087977d21ee
SHA3-384 hash: 66e3a7d66111bb0d8590983ed810e54b4cd27be38fe178bd58b36f1e052907f9b5e5d0f75579747f36e844b6c9ad167d
SHA1 hash: db94c37b6bbe1177db007317c0dd8ddc4c84e68b
MD5 hash: 33b907210bb4d49062f0e2747ea08c6d
humanhash: ack-equal-hydrogen-hot
File name:KDUSC-PRO-MAINT-117-2021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:797'696 bytes
First seen:2021-11-15 06:54:14 UTC
Last seen:2021-11-15 08:52:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:2c7J+Tbs2ykUaTFH4ekvC1Zlst+R3WgxnwOh:23TFH4ekke+tP
Threatray 11'190 similar samples on MalwareBazaar
TLSH T166057C5563D3991AD09E03BCA054445493F4E311A24BE71F2AE0E9F82C773E2CDA9EE7
File icon (PE):PE icon
dhash icon 9d19195a1e2e460a (3 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205752/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.42063.20415.9533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61920449a00afa9663a80b63/reports/651181ed-3ba4-4500-b9c0-a823738a6387/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c9c0e21-2ed6-4042-937f-5f28442a3ea2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889643
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 522116 Sample: KDUSC-PRO-MAINT-117-2021.exe Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 9 KDUSC-PRO-MAINT-117-2021.exe 3 2->9         started        process3 file4 28 C:\Users\...\KDUSC-PRO-MAINT-117-2021.exe.log, ASCII 9->28 dropped 48 Tries to detect virtualization through RDTSC time measurements 9->48 50 Injects a PE file into a foreign processes 9->50 13 KDUSC-PRO-MAINT-117-2021.exe 9->13         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 13->52 54 Maps a DLL or memory area into another process 13->54 56 Sample uses process hollowing technique 13->56 58 Queues an APC in another process (thread injection) 13->58 16 chkdsk.exe 13->16         started        19 explorer.exe 13->19 injected process8 signatures9 32 Self deletion via cmd delete 16->32 34 Modifies the context of a thread in another process (thread injection) 16->34 36 Maps a DLL or memory area into another process 16->36 38 Tries to detect virtualization through RDTSC time measurements 16->38 21 explorer.exe 2 159 16->21         started        24 cmd.exe 1 16->24         started        process10 dnsIp11 30 192.168.2.1 unknown unknown 21->30 26 conhost.exe 24->26         started        process12
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ec967cb2eeeb76c7acaba88e1c3eb6f5fa39cedb54b4edbb17eb0087977d21ee/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 06:55:07 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5slhzmxo5n3mplflvchbypvw6x5dttw3ks2o3oyx5maipf35ehxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
35204f1850b1439ef9a8fd958d6c3045edae69378aa3593021795d0600fc5a01
Formbook
6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33
Formbook
696ba6fed0994cac4e47993f336820499cd3faf3ce4713d4e0be0ea0d91748af
Formbook
774c08451198a951fa73f9859b5e48c12c5df9214759e4717e56d92fb4c09d1e
Formbook
9508c04b4c1dd578c8c3b8597a68bb73548b107edcbb37f13909a18d85f78b3a
Formbook
a0d1e3fbe11fcbbea9dcad1880e23ea531c01c20fbbf383174cd420349657a01
Formbook
ac4a0328d512526f20122f0399d557b1334f3b2ac264d9e749d6d2788e956b2e
Formbook
ea693b5bb0a73a3cb5547fc88b5fff6f5198997a2b7e33a386dd3a5f0788e8ba
Formbook
ebc008a7b326afef547049414a909b2120e6e09b560c67e4b79d173195180691
Formbook
+ 11'180 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:u0n0 loader rat suricata
Link:
https://tria.ge/reports/211115-hpszyaedan/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.52xjg3.xyz/u0n0/
Unpacked files
SH256 hash:
cf88d8c1809ccd5edf41631bec8cbb58a0b7f59ef0827164464888cb97e7f6f9
MD5 hash:
2cedecbbeaab2c98adafb3746b040421
SHA1 hash:
6fb38bf634702caff714f66b0a936b180cceb75c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c1c43b8d-c6b2-48bd-97b0-7a4aa7e88fb3/
Parent samples :
45790f1cc3cb37ecfe541981ddf9d25684d92576cceb6bdb809f345014de84f0
696ba6fed0994cac4e47993f336820499cd3faf3ce4713d4e0be0ea0d91748af
ea693b5bb0a73a3cb5547fc88b5fff6f5198997a2b7e33a386dd3a5f0788e8ba
ec967cb2eeeb76c7acaba88e1c3eb6f5fa39cedb54b4edbb17eb0087977d21ee
25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b
16afc1275bbb9dc325bcb03d7d0fb57b704adc0438c5c006070bdd07f2259230
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/c1c43b8d-c6b2-48bd-97b0-7a4aa7e88fb3/
SH256 hash:
ed37277c8893197ce0ceb6e33ff5196f5ad0b7bce2234a18d03beed311964782
MD5 hash:
236572e084cbb255c95c5d96ee8d012f
SHA1 hash:
9f1138606b191b8254d6fb388cee17e359cd81be
Link:
https://www.unpac.me/results/c1c43b8d-c6b2-48bd-97b0-7a4aa7e88fb3/
SH256 hash:
ec967cb2eeeb76c7acaba88e1c3eb6f5fa39cedb54b4edbb17eb0087977d21ee
MD5 hash:
33b907210bb4d49062f0e2747ea08c6d
SHA1 hash:
db94c37b6bbe1177db007317c0dd8ddc4c84e68b
Link:
https://www.unpac.me/results/c1c43b8d-c6b2-48bd-97b0-7a4aa7e88fb3/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ec967cb2eeeb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ec967cb2eeeb76c7acaba88e1c3eb6f5fa39cedb54b4edbb17eb0087977d21ee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/205752/

Comments