MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efe0ae3210b13df738be79a1e1da5f3696fd4144f21b3de6d6f54356bc50d050. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efe0ae3210b13df738be79a1e1da5f3696fd4144f21b3de6d6f54356bc50d050
SHA3-384 hash: 86301260510ddafcf19c04d2e67189bb3457b084c3dc0bdf59322b8750bbaa90e9a588c36d55d02be3b743aa8c6a618d
SHA1 hash: f0ed2f72c68b26762f9ef41c5628663dea6d1e69
MD5 hash: 1af6fe1f67b9110564017371bea49daa
humanhash: wisconsin-aspen-helium-harry
File name:Correos de España Recibo de impresión de paquete retrasado.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:534'016 bytes
First seen:2021-05-10 12:18:58 UTC
Last seen:2021-05-10 13:06:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:7/HFMw7Y9MA59CyMAn0+TJlPSUWijybxNlnR6f:rH+w09tVPPThebxNlR6f
Threatray 186 similar samples on MalwareBazaar
TLSH 40B4E099F7749CA5F817917D987AE8301133BE9A9427480E365E322D49A33C250F7F8B
Reporter abuse_ch
Tags:ESP exe FormBook geo

Intelligence

File Origin
# of uploads :
3
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154010/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.29859.14949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779325
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411721 Sample: Correos de Espa#U00f1a Reci... Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 8 other signatures 2->44 9 Correos de Espa#U00f1a Recibo de impresi#U00f3n de paquete retrasado.exe 5 2->9         started        process3 file4 26 Correos de Espa#U0...quete retrasado.exe, PE32 9->26 dropped 28 Correos de Espa#U0...exe:Zone.Identifier, ASCII 9->28 dropped 30 Correos de Espa#U0...e retrasado.exe.log, ASCII 9->30 dropped 12 Correos de Espa#U00f1a Recibo de impresi#U00f3n de paquete retrasado.exe 9->12         started        15 Correos de Espa#U00f1a Recibo de impresi#U00f3n de paquete retrasado.exe 9->15         started        process5 signatures6 46 Modifies the context of a thread in another process (thread injection) 12->46 48 Maps a DLL or memory area into another process 12->48 50 Sample uses process hollowing technique 12->50 52 Queues an APC in another process (thread injection) 12->52 17 control.exe 12->17         started        20 explorer.exe 12->20 injected process7 signatures8 32 Modifies the context of a thread in another process (thread injection) 17->32 34 Maps a DLL or memory area into another process 17->34 36 Tries to detect virtualization through RDTSC time measurements 17->36 22 cmd.exe 1 17->22         started        process9 process10 24 conhost.exe 22->24         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/efe0ae3210b13df738be79a1e1da5f3696fd4144f21b3de6d6f54356bc50d050/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 08:02:50 UTC
AV detection:
27 of 47 (57.45%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57qk4mqqwe67oof6pgq6dws7g2lp2qke6int3zww6vbvnpcq2bia._file
Verdict:
unknown
Similar samples:
2c3cbc680c780cafc1f14b8050cd345cdb4e593813ed059f294046c288c4514b
Formbook
6173a7ce15143ef14d5109785782e3e2aadd6108535eff03e765d50a5f586c17
Formbook
6522bd3205d4f2eb0e2ed19912a478379d47f5c47dbbcd351d6de4f8b7b5c778
Formbook
718f9065e9aff74288e63d800e903057b889d54913c8ce27fc7859cf2643018b
Formbook
89000d578eb0764d4abce8dcc33a4096a588afd75943d5803f428d5a60d140d3
Formbook
8abaa16d8c8878bea5bc52bd5f80500333df51ee8e3212899abafd9d299131fd
Formbook
a59fbc4f9903ed18c989e87bc83073b463310ffe6c90a43c53400739719d0aae
Formbook
ad1e33b11bfc9e62d3694096c14296d5576db318d976dd2226e8c43645e153e9
Formbook
c210434fcb39927f4a0d0a844a1a883f8274bc3b9e6d3e6e883f8072f316ca6a
Formbook
e295db3f673745f6e7a9de653c3e7648eadb10702144b2542bf699c607efb8b1
Formbook
+ 176 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210510-gdnfcrszra/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.misskarenteachesenglish.com/tma3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efe0ae3210b13df738be79a1e1da5f3696fd4144f21b3de6d6f54356bc50d050

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154010/

Comments