MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
SHA3-384 hash: 8fcf584c74e00279a60aa129466d4de3f72309967f98d57063fb31b6c2adf8bfae789702884485c32f8cc980335e7441
SHA1 hash: 90a239f29005c46351dc0ba13ec55c6a8858cc32
MD5 hash: 58e139c2d34846d74e928df2f53841c1
humanhash: emma-ink-xray-hotel
File name:EE96DF216161F048EE9C50853B018F779D71BCE1498F2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:5'326'569 bytes
First seen:2021-10-29 02:31:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:ysc/NNPNU7KqxM52jQOdg4Ibbsh2VRS+CxJj9+sF0d2fAu9JqOUqOs:yzPun3jHdgnbVRKxJjFffAu2qOs
TLSH T16B363390F1D4453EC0F608B2D46A3EE7E3EAD4AB2B43F22B16427E5D1D511E858A91F3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
185.215.113.49:29659

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.49:29659 https://threatfox.abuse.ch/ioc/239240/
http://194.180.174.181/ https://threatfox.abuse.ch/ioc/239344/

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9897110-1
Create hunting rule

Win.Packed.Socelars-9898166-1
Create hunting rule

Win.Packed.Jaik-9899450-0
Create hunting rule

Win.Packed.Socelars-9901328-1
Create hunting rule

Win.Packed.Socelars-9901378-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3e3f9d6-abc0-4fbd-b887-42472381c06f
Result
Threat name:
Backstage Stealer FormBook RedLine Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878966
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511400 Sample: EE96DF216161F048EE9C50853B0... Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 98 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->98 124 Multi AV Scanner detection for domain / URL 2->124 126 Malicious sample detected (through community Yara rule) 2->126 128 Antivirus detection for URL or domain 2->128 130 20 other signatures 2->130 11 EE96DF216161F048EE9C50853B018F779D71BCE1498F2.exe 10 2->11         started        14 WmiPrvSE.exe 2->14         started        signatures3 process4 file5 82 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->82 dropped 16 setup_installer.exe 21 11->16         started        process6 file7 56 C:\Users\user\AppData\...\setup_install.exe, PE32 16->56 dropped 58 C:\Users\user\AppData\...\Mon11f33d9091.exe, PE32 16->58 dropped 60 C:\Users\user\AppData\...\Mon11d6c56e21c.exe, PE32 16->60 dropped 62 16 other files (10 malicious) 16->62 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 100 127.0.0.1 unknown unknown 19->100 132 Adds a directory exclusion to Windows Defender 19->132 23 cmd.exe 19->23         started        25 cmd.exe 19->25         started        27 cmd.exe 19->27         started        29 12 other processes 19->29 signatures10 process11 signatures12 32 Mon11f33d9091.exe 23->32         started        37 Mon11d19c46272738.exe 25->37         started        39 Mon118cb658033866e.exe 27->39         started        134 Adds a directory exclusion to Windows Defender 29->134 41 Mon110a6b48c3f011fd.exe 29->41         started        43 Mon119a2cda569e.exe 14 2 29->43         started        45 Mon11be73039a1f765.exe 29->45         started        47 8 other processes 29->47 process13 dnsIp14 84 45.142.182.152 XSSERVERNL Germany 32->84 86 37.0.10.244 WKD-ASIE Netherlands 32->86 92 12 other IPs or domains 32->92 64 C:\Users\...\iladR9_Nt7k68uAd0OE6sMoq.exe, PE32 32->64 dropped 66 C:\Users\...\cSVc_4HsaQ8UBxcQGZvBlGYS.exe, PE32 32->66 dropped 68 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 32->68 dropped 72 30 other files (10 malicious) 32->72 dropped 102 Antivirus detection for dropped file 32->102 104 Creates HTML files with .exe extension (expired dropper behavior) 32->104 106 Disable Windows Defender real time protection (registry) 32->106 49 dZttMoxM45hT1xMkTNeADB7i.exe 32->49         started        108 Query firmware table information (likely to detect VMs) 37->108 110 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->110 112 Machine Learning detection for dropped file 37->112 122 2 other signatures 37->122 114 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->114 116 Checks if the current machine is a virtual machine (disk enumeration) 39->116 88 162.159.135.233 CLOUDFLARENETUS United States 41->88 118 Multi AV Scanner detection for dropped file 41->118 94 3 other IPs or domains 43->94 52 WerFault.exe 45->52         started        90 208.95.112.1 TUT-ASUS United States 47->90 96 4 other IPs or domains 47->96 70 C:\Users\user\AppData\...\Mon11d6c56e21c.tmp, PE32 47->70 dropped 120 Tries to harvest and steal browser information (history, passwords, etc) 47->120 54 Mon11d6c56e21c.tmp 47->54         started        file15 signatures16 process17 file18 74 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 49->74 dropped 76 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 54->76 dropped 78 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 54->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 54->80 dropped
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 20:29:27 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=52ln6ilbmhyer3u4kcctwampo6oxdphbjghsrjgrwg6d26l7cswa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar family:warzonerat family:xloader botnet:706 botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:937 botnet:janesam campaign:s0iw aspackv2 backdoor discovery evasion infostealer loader rat spyware stealer themida trojan
Link:
https://tria.ge/reports/211029-czqpnscdh8/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Warzone RAT Payload
Xloader Payload
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
WarzoneRat, AveMaria
Xloader
Malware Config
C2 Extraction:
https://petrenko96.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
65.108.20.195:6774
https://mas.to/@lilocc
http://www.kyiejenner.com/s0iw/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
0f9f703a5c7fc081101bd1874df52884e293ccbbe31d98564d6c9220e59de856
MD5 hash:
80b72266ebe509a32268d1a83ae5c207
SHA1 hash:
ff36e75aedd50c1f87d2980cbd5ffe8bb511f641
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
933b04b537f93e9f81ba3e968915e211480a2eba97da0687623f67384a64b830
MD5 hash:
33c313818bfcaa5c777cbf81d886e8cf
SHA1 hash:
f98b8feb5f17085c238cafe42fdfefe2c7a90ebd
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
6b4929451dcbd246a9f4f5031ed3c098302e28e001be689391c152c09fba5ee3
MD5 hash:
a11405198bdda0ac5bcd6d211954bd3c
SHA1 hash:
efb5ef593667247577f2d15a860909561982f617
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
ab753f314f8289fa879dc906a5b3e78be5352ef06d0cfd908c2eba70d18d1785
MD5 hash:
56f6840b2b7e680f8323dd66226ed8e0
SHA1 hash:
bf635846ff4e054c7683448cb0ff14224b8d3558
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
8e75c115d7392276bc20ebd8d70aec5cac0eae07873e057f7324a995a9a1214d
MD5 hash:
a5187e4f2b5dabf9d5c2cc6ac19cc1a5
SHA1 hash:
b96fad301b65de3f6a380106c03a03712db307d9
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
e532a211c0b802a82ad96757d2e3d2f73cf346ef5591832a0c539cc6bb0ecd92
MD5 hash:
2df1ee3cd9cc7a2c3e266e08a51c478b
SHA1 hash:
aa5de466d668f2233d4bdbac4d51ff13e7fb5eb2
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
1d04bbabdb6da4db379ca057ac0d63fb27d8891b01cf3ffcb94573be1853ecaf
MD5 hash:
d58b4be4f3dec4843801511def20ae7d
SHA1 hash:
90be9caf1efa58d6ea70ae6783bfc8e05bd9ea16
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
d51ad740818f7d6553e3d5aefdc232380d63ff2a54d0ee944616a1a91ea05ea1
MD5 hash:
fe8fc67abc15f9fd69e3f6f1ee8a7f55
SHA1 hash:
65c0679be4fbf7da6f8fd990ad968344cc81826f
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
aff9ab692225614831ee1630686474da45ab76c978f91345309f76dc8f85c039
MD5 hash:
3a07caaa60f3b83b0e230fbfa6b0b357
SHA1 hash:
57d995c58ad58865787f32d7a1a0eedab1cf8e0f
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
664c563263c5fe41339c503a1eb12f23b3f64b993fd5d5146fdb0907b57631dd
MD5 hash:
f512e0f7ddd9b95a1a04e89caa9be57a
SHA1 hash:
2f23ebf8467081142df8aaf3f12e5bdeac87e292
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
ff236ccbd61d322a223e3152e768d0a195bde866d4debbe98929a80946382832
MD5 hash:
14b846dbd77dbedb574227310467d5fb
SHA1 hash:
01318111c3ae602914839f4f44f66dc095f3aa51
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
08c67541e178072c957a26a9dcc4a92b53af3ab2394eeeadbb657e4961b248c6
MD5 hash:
11d0d4ef5ef425283005a4ae8edad220
SHA1 hash:
3cd07230bd35fe30a20cf24eb9831330904881a9
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
247d69da57e075f15e7fedc62ef99404f3e4e15988d35c598054f6771567b12a
MD5 hash:
0ef47ae88282ced5a011034e25a46e07
SHA1 hash:
4ee96fa7cf4c7c0d3d909a1726a48551a81aaf72
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
731a28f4bba47536627d8ca37c4ab973a9718ab92df1fb59f0385cdb3ed7f377
MD5 hash:
73efb9a14de0205559e9bc693b72b660
SHA1 hash:
c94e7e5e49f72426d8d2f976283fb95a122295b9
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
82507af5c859fb53e56da0b13c41ef8ab73048e719a3fd8544c6913a34b661c2
MD5 hash:
82276725dc43466cad36b9336d7289b9
SHA1 hash:
c1cda383c58c0e5e3689d2435eacef64a3959460
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
16b8578192a92b6aceb85bddfa1bc2c15bda4190e9d810830875a02e0a4cd2c8
MD5 hash:
465f373686dd8be78a9fb1f389e0e946
SHA1 hash:
82bac7e00355eafb63981be8f55ba7520e9bf819
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
b467b655fe0701f2e2191a894aa05e19175f999ecc9fdeac038460abde51b496
MD5 hash:
96867cece724a5a3b5e6adbdb052a250
SHA1 hash:
dd0f2204512b22ee290ebebf8c6677e65b2aa080
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
21699ec34ae8ffc4fcec2d5813fbb829174173c554176e4bb2d454dcf34b7b2d
MD5 hash:
2c14b80013f19301b28667008bb19c62
SHA1 hash:
14db1176185b4a031ac853fec1692f6cc9dfd285
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
SH256 hash:
ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
MD5 hash:
58e139c2d34846d74e928df2f53841c1
SHA1 hash:
90a239f29005c46351dc0ba13ec55c6a8858cc32
Link:
https://www.unpac.me/results/9e251120-1e80-4a8b-9df3-70fd6d1848ef/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ee96df216161/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments