MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4
SHA3-384 hash: 398bb49c8238fbe1c9f9a4e148f7b66f047f14d5266ca7e4f9b3634b5f1ad473fb79a738e4092ec50cbbd2c673aa512e
SHA1 hash: bfea883dcce9c7d6d64b8e194800b75890a36610
MD5 hash: b76aa61a1aa68c1c143e52bf6191e4a7
humanhash: bulldog-west-indigo-early
File name:invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:790'528 bytes
First seen:2021-09-22 23:16:57 UTC
Last seen:2021-09-23 06:51:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:/oaqmtiK5oFRp4Nvh46azZU6ZfdvsrxI04ZPX9Kvrthak:zq+FoFReC60+6JdUrxlEXA5ha
Threatray 9'845 similar samples on MalwareBazaar
TLSH T1D5F47AC56D889A13C3940632DC5D6205366C6C4A3723934BEBE53E7B3EFE2C7812D59A
File icon (PE):PE icon
dhash icon a28aa2e2e0aaa2a2 (14 x Formbook, 11 x AgentTesla, 5 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
4
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-09-22 23:18:05 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/0dac15ea-e2e9-4a08-8e70-d117d0424e77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190431/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ca0506e-bcb2-4ec7-9c42-de5e25fe18d3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856055
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488486 Sample: invoice.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 33 www.sese.one 2->33 35 p4630.cdn99.cc 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 11 invoice.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\invoice.exe.log, ASCII 11->31 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 invoice.exe 11->15         started        18 invoice.exe 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected process9 dnsIp10 37 www.buyidh.xyz 160.119.72.212, 49833, 80 QUICKPACKETUS Seychelles 20->37 39 vaveform.com 198.54.114.232, 49824, 80 NAMECHEAP-NETUS United States 20->39 41 8 other IPs or domains 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 53 Performs DNS queries to domains with low reputation 20->53 24 cmmon32.exe 20->24         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 24->55 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 23:17:06 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=55fjvork7tjzxp544t66j5nrjburcwme2qymfzztkpuj4ikp5ksa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
115716164b2092df207c750d11a2b4ce05bee204b7f21f1f62d93a5b7d78afa1
Formbook
1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
Formbook
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
Formbook
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
Formbook
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
Formbook
f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
Formbook
+ 9'835 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:etaf loader rat
Link:
https://tria.ge/reports/210922-29pykaead8/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.jingkevip.com/etaf/
Unpacked files
SH256 hash:
857d1f34774a5c7f5debe1e2a5efde128f12921247f167ba4a35a8eb6385cb47
MD5 hash:
2e649100656a063befb21d563d8da57c
SHA1 hash:
2b0683aec0553362a6f774bb26c8dd2324503fd5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0503e5d8-e596-4f6d-97c7-262f0133ea6a/
Parent samples :
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/0503e5d8-e596-4f6d-97c7-262f0133ea6a/
SH256 hash:
5d1f9e3b512e9337e8362650b547da34101526f7476fd209a2b718e222b8d6e1
MD5 hash:
0a8bc1c2dea2855c250d9ea41df4c80c
SHA1 hash:
2e86b28c9d8a5f3cf6db967f04a2949ddbeaac57
Link:
https://www.unpac.me/results/0503e5d8-e596-4f6d-97c7-262f0133ea6a/
SH256 hash:
8d0832805f927dc0ae6b2a39c3f543050a9d9be3b3af2fd985dc363b37f01657
MD5 hash:
fb3cbed325aee0fdcc68aa8bd4a834b1
SHA1 hash:
0676c5da0bcc9088185f3c2b29209bef1c387702
Link:
https://www.unpac.me/results/0503e5d8-e596-4f6d-97c7-262f0133ea6a/
SH256 hash:
ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4
MD5 hash:
b76aa61a1aa68c1c143e52bf6191e4a7
SHA1 hash:
bfea883dcce9c7d6d64b8e194800b75890a36610
Link:
https://www.unpac.me/results/0503e5d8-e596-4f6d-97c7-262f0133ea6a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190431/

Comments