MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619
SHA3-384 hash: b0d79a53e3c6cd94f60e66c55df6517d68633d9585cd01739e6799c9c5c425c595a71ce323dace8e67cc636faa0bfc36
SHA1 hash: a2e4f6b50343a85ade04e9d168b0a8cc9cfd9af5
MD5 hash: 25ed69d3ea7c4da59aa0a482ee4b6ab5
humanhash: twelve-steak-north-mars
File name:dGWioTejLEz0eVM.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'536'000 bytes
First seen:2021-01-19 13:00:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:gxP84y3NGx5x7KBL1GVfge5v6hvMt1CYM:ALy3NGxz6L1GhgsB
Threatray 3'570 similar samples on MalwareBazaar
TLSH 886592AC723071DFC857D4F39AE81DA8AA546C6A431F4503B47736A9DA3C897CF143A2
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: sonic304-20.consmr.mail.sg3.yahoo.com
Sending IP: 106.10.242.210
From: sale panle <s_panle@yahoo.com>
Subject: : Fwd: Wire Transfer Payment
Attachment: 5630098XX.rar (contains "dGWioTejLEz0eVM.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dGWioTejLEz0eVM.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 13:09:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a9e8f857-bd2f-4989-863b-be1a2102a017

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112886/
Detection(s):
Win.Packed.Genkryptik-9822492-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584996
Signature
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341533 Sample: dGWioTejLEz0eVM.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 32 www.queendreea.club 2->32 34 queendreea.club 2->34 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected AntiVM_3 2->52 54 6 other signatures 2->54 11 dGWioTejLEz0eVM.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\...\dGWioTejLEz0eVM.exe.log, ASCII 11->30 dropped 64 Detected unpacking (changes PE section rights) 11->64 66 Tries to detect virtualization through RDTSC time measurements 11->66 68 Injects a PE file into a foreign processes 11->68 70 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->70 15 dGWioTejLEz0eVM.exe 11->15         started        signatures6 process7 signatures8 72 Modifies the context of a thread in another process (thread injection) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Sample uses process hollowing technique 15->76 78 Queues an APC in another process (thread injection) 15->78 18 explorer.exe 15->18 injected process9 dnsIp10 36 gentilelibri.com 195.110.124.133, 49764, 80 REGISTER-ASIT Italy 18->36 38 www.besteprobioticakopen.online 54.38.220.85, 49761, 80 OVHFR France 18->38 40 22 other IPs or domains 18->40 56 System process connects to network (likely due to code injection or exploit) 18->56 22 cscript.exe 12 18->22         started        signatures11 process12 dnsIp13 42 www.sz-rhwjkj.com 22->42 44 gz01.bch.baidu-itm.com 22->44 46 2 other IPs or domains 22->46 58 Modifies the context of a thread in another process (thread injection) 22->58 60 Maps a DLL or memory area into another process 22->60 62 Tries to detect virtualization through RDTSC time measurements 22->62 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 09:23:53 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hfxboewhui2vmbzfisbmhaikhzngigwfkqqdq7zmc6pbv6ziymq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
Formbook
0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811
Formbook
148007b32a311769a958c3f87c6c836b14457f17dbe6a9a0188b0f68b3c30b40
Formbook
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
Formbook
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
Formbook
86879b01844ab067722fd2ca12bf5a666136348ca9a7f72a33ca42d9707e84d0
Formbook
ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4
Formbook
b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086
Formbook
c826a0b0506ddc4d93aba9f41ed795a88cca8bdb8c54f4af5d8dbdf9767e9ad3
Formbook
fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6
Formbook
+ 3'560 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210119-g3xne1nhpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.besteprobioticakopen.online/uszn/
Unpacked files
SH256 hash:
1820c232000eaca2b342006581d1e0743ff2166f57f917b8691901867e7ad3e0
MD5 hash:
cc0ba93bd12ee998cacab013043ff2c6
SHA1 hash:
c5ca7761965d1eedceaab08eb3bc06963292bd87
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5e91daf7-bea0-4c2b-b902-b1ed3814f0ab/
Parent samples :
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6
f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619
17adca833d9ccaf731ac41830d08db7b447ff391ce54052532d4d90fb4594a40
c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24
ddaa3b6f19f3e7b9a6e8ebe8188ceea0d1bb0c285a0b2d783c8d0cc7005e37a6
SH256 hash:
faa2b592aeb80ebe0041ec8788e484529c4d948a57fccbde5c29c8d3a4de6de7
MD5 hash:
0773c246becf39c9c90cdd089ceda075
SHA1 hash:
c3d6ca7b5ff4dffca7e9d0f4f9287fc923b46bc0
Link:
https://www.unpac.me/results/5e91daf7-bea0-4c2b-b902-b1ed3814f0ab/
SH256 hash:
6e98bd2f70c12faeb74b32e915d879f6d8772f213f5c7a2b91ae48b3f571f281
MD5 hash:
0fb18c8ca0736bd91da21ff07b0ffa59
SHA1 hash:
baacb357694f6f8a089f9a0559d29be4517c10dd
Link:
https://www.unpac.me/results/5e91daf7-bea0-4c2b-b902-b1ed3814f0ab/
SH256 hash:
f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619
MD5 hash:
25ed69d3ea7c4da59aa0a482ee4b6ab5
SHA1 hash:
a2e4f6b50343a85ade04e9d168b0a8cc9cfd9af5
Link:
https://www.unpac.me/results/5e91daf7-bea0-4c2b-b902-b1ed3814f0ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 654d76821228c87040fbe0a9805d5e67d8dd0528561876b6090d3fb32786b6ad

Formbook

Executable exe f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619

(this sample)

  
Dropped by
MD5 b74014ee03dc8afb8a97051f66ed0e04
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112886/
  
Dropped by
SHA256 654d76821228c87040fbe0a9805d5e67d8dd0528561876b6090d3fb32786b6ad

Comments