MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef7be4314918c8498de5619f54b82be2cf17325d617af469fed30ed9cb754318. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef7be4314918c8498de5619f54b82be2cf17325d617af469fed30ed9cb754318
SHA3-384 hash: f6f2f7f56e9e34df67c07a0b243b7c8604f912ce60566952eb3c668373f8c4fb59c08981b4338f48df8537a0b4d3cd1b
SHA1 hash: 908b47a1d36c9bcc8eabd9840cbd15f1fa21adac
MD5 hash: 579f212f20ea736aeced0f27d9259231
humanhash: monkey-princess-delaware-carbon
File name:579f212f20ea736aeced0f27d9259231
Download: download sample
Signature Formbook
Create hunting rule
File size:549'376 bytes
First seen:2021-12-21 14:32:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:L0vB0PpfewOP+3SXhK7jAx2ccte7dJmiTuRfMCpGKOQuSmw/WU:qB0PpGwO23YhKk2co3
Threatray 12'573 similar samples on MalwareBazaar
TLSH T11AC4BE5CF611B4DFC82BCA36D9741C20AB51E477530FD75BA08722AD8D0D68B8E1A9E3
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping_Doc_0000000.doc
Verdict:
Malicious activity
Analysis date:
2021-12-21 14:26:06 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/a3ff244c-1165-4974-b72c-1c738c94fec9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215668/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61c1e5a04ab5c44cbf4b8e19/reports/5f792ec0-3888-4423-bc02-b27ce17eb8b0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b31691b-d4ae-4397-96d3-89cb146dd0ad
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911015
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543498 Sample: HvyylYzB2G Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 31 www.indiadiscountedfares.com 2->31 33 www.d22.group 2->33 35 indiadiscountedfares.com 2->35 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 9 HvyylYzB2G.exe 3 2->9         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\HvyylYzB2G.exe.log, ASCII 9->23 dropped 55 Tries to detect virtualization through RDTSC time measurements 9->55 13 HvyylYzB2G.exe 9->13         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 13->16 injected process9 dnsIp10 25 www.sxsxnt.com 173.231.37.76, 49773, 80 WEBNXUS United States 16->25 27 stardustfuel.com 15.197.142.173, 49777, 80 TANDEMUS United States 16->27 29 12 other IPs or domains 16->29 37 System process connects to network (likely due to code injection or exploit) 16->37 39 Performs DNS queries to domains with low reputation 16->39 20 cmstp.exe 16->20         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ef7be4314918c8498de5619f54b82be2cf17325d617af469fed30ed9cb754318/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 14:33:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
098a32bfcd332f71fdb65cf704994c70cf6390110340c809ae2cc66bddfbde04
Formbook
6fafca0825dbdedf739d4f57ea1b09563eed9834a54f2998b712891baeef4839
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
b6766af1afb815c61741089760278a15e9089ae7b14a3537faa4ca6e4ebfdffc
Formbook
b830b088dcc04db74fc8afbb16dcfff0134c405228be44df5d996a9a5b254bff
Formbook
bbbb4573dc583a2870aad1d30b310e6e61dae23c5652ae30207a392209d9dd6d
Formbook
d544f115e860d3282bd996d7b12ac92c10097d68d135667cca0f847ca754f8ef
Formbook
e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01
Formbook
f0748cd86f2648c4ff23611f87661ba89045039966eb9595c2fb4d046249e1f2
Formbook
+ 12'563 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b62n loader rat
Link:
https://tria.ge/reports/211221-rwvlsaeefr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
cc863038dfc58d37276a1f1cb952870d6a2cd81a7ac72d3ed7021e5c5aa1c8f0
MD5 hash:
2c5570f3b591aa1fd57f5ec62ab89b76
SHA1 hash:
7a451b030d1acef0a149e333ba9df225fc5494d1
Link:
https://www.unpac.me/results/a2eb3b95-f27a-4c42-a428-1adbf3417b8a/
SH256 hash:
752ac9c657b6659c2331107d69ca0ec832462fcc41538345465f22c201c7ff26
MD5 hash:
dd5663eb6a39803e2da0cd798788cd33
SHA1 hash:
a16e106f6251f5192fa394336c4edbc77f83d8d7
Link:
https://www.unpac.me/results/a2eb3b95-f27a-4c42-a428-1adbf3417b8a/
SH256 hash:
1bb5f92a9938fb8d6a97c1de80469a0ec325eecaee427122b09b248027a5e944
MD5 hash:
fbb2931f2e80c155c0d0ab7fc0d7ac4e
SHA1 hash:
9272b1b1b2974dccae8ce1c72db32df6cd96b919
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a2eb3b95-f27a-4c42-a428-1adbf3417b8a/
Parent samples :
3040f22b6d5519be09fd6bcf5865d095cefa7f19e0d55f24b7975885e50239a2
e66c52aca22de91160817e09506aec8daa8b0eb29883bda8b2478bf2424f5379
b65f290b74a2787160fa1febc0622f80a879fc6c366ef0aeb04e9ba9a76f8cea
4ace533157b96ff8c832cb31e81d6beb606e3fe4f63bae05b923b9d53946c100
b830b088dcc04db74fc8afbb16dcfff0134c405228be44df5d996a9a5b254bff
726a09eb16bf03392665f92c016045be1bff7518d1dd941f8dd6f9621a8fc608
969f23feda2971e5174b6e99caf296d4e21f69c7ccef0747c1efc61ed9c3a414
6fafca0825dbdedf739d4f57ea1b09563eed9834a54f2998b712891baeef4839
ef7be4314918c8498de5619f54b82be2cf17325d617af469fed30ed9cb754318
SH256 hash:
ef7be4314918c8498de5619f54b82be2cf17325d617af469fed30ed9cb754318
MD5 hash:
579f212f20ea736aeced0f27d9259231
SHA1 hash:
908b47a1d36c9bcc8eabd9840cbd15f1fa21adac
Link:
https://www.unpac.me/results/a2eb3b95-f27a-4c42-a428-1adbf3417b8a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ef7be4314918/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef7be4314918c8498de5619f54b82be2cf17325d617af469fed30ed9cb754318

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ef7be4314918c8498de5619f54b82be2cf17325d617af469fed30ed9cb754318

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1907305/
Cape
Cape
https://www.capesandbox.com/analysis/215668/

Comments


Avatar
zbet commented on 2021-12-21 14:32:21 UTC

url : hxxp://136.144.41.252/RCsreTUPG2BqXWk.exe