MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f236d3c17eddd7b270030bd19051b43c8827af7925336611d0569e73c9b058b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f236d3c17eddd7b270030bd19051b43c8827af7925336611d0569e73c9b058b9
SHA3-384 hash: 49fd2d4cfbc846447bb632c858ff64b9bb66bcca11a8317acbe538c5b025082ec8c6b411685efbf0d9647768d3d1ff78
SHA1 hash: f60f94d24ed8658577d9b787f5aa51d290390dc9
MD5 hash: f0e566e1be01b2814c127f5b9af97ea9
humanhash: bacon-timing-blue-whiskey
File name:RFQ5372837484.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:21'504 bytes
First seen:2021-08-16 05:27:36 UTC
Last seen:2021-08-16 07:04:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:T/UdJy7uXpn9O8T7As3sqNhYEVcU4l7TNvwXSMfK28lm3AJqriVd+CBYv21MD6ZW:jUdc7uXpn0WEs3sqNujNvwXBy0yyP3bZ
Threatray 348 similar samples on MalwareBazaar
TLSH T142A2D69032646B2BD9BEA7F8C0A7512013F2678B6073EE1D2DCE60DB7825F805551F5B
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ5372837484.exe
Verdict:
Malicious activity
Analysis date:
2021-08-16 05:28:51 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7308a113-7eef-45bd-b50d-725322db0de6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179411/
Detection(s):
SecuriteInfo.com.ArtemisF0E566E1BE01.26857.10893.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee922c09-07f9-4adf-92df-6c66a0cb5e31
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833299
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465730 Sample: RFQ5372837484.exe Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 58 www.wenjiangongxiang.com 2->58 60 www.jemadrqhahcesdeze.com 2->60 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 6 other signatures 2->92 11 RFQ5372837484.exe 15 4 2->11         started        14 RFQ5372837484.exe 3 2->14         started        signatures3 process4 dnsIp5 70 cdn.discordapp.com 162.159.133.233, 443, 49711, 49716 CLOUDFLARENETUS United States 11->70 17 cmd.exe 1 11->17         started        20 cmd.exe 3 11->20         started        108 Injects a PE file into a foreign processes 14->108 23 RFQ5372837484.exe 14->23         started        signatures6 process7 file8 72 Suspicious powershell command line found 17->72 74 Wscript starts Powershell (via cmd or directly) 17->74 25 powershell.exe 18 17->25         started        27 wscript.exe 17->27         started        30 conhost.exe 17->30         started        32 timeout.exe 1 17->32         started        54 C:\Users\user\AppData\...\RFQ5372837484.exe, PE32 20->54 dropped 56 C:\...\RFQ5372837484.exe:Zone.Identifier, ASCII 20->56 dropped 76 Drops PE files to the startup folder 20->76 34 conhost.exe 20->34         started        78 Modifies the context of a thread in another process (thread injection) 23->78 80 Maps a DLL or memory area into another process 23->80 82 Sample uses process hollowing technique 23->82 84 Queues an APC in another process (thread injection) 23->84 36 explorer.exe 23->36 injected signatures9 process10 dnsIp11 39 RFQ5372837484.exe 2 25->39         started        102 Wscript starts Powershell (via cmd or directly) 27->102 104 Tries to detect virtualization through RDTSC time measurements 27->104 62 www.wenjiangongxiang.com 81.71.7.196, 80 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 36->62 64 www.bulukx.com 66.29.134.149, 49729, 80 ADVANTAGECOMUS United States 36->64 106 System process connects to network (likely due to code injection or exploit) 36->106 43 wscript.exe 36->43         started        45 msiexec.exe 36->45         started        signatures12 process13 dnsIp14 66 192.168.2.1 unknown unknown 39->66 68 cdn.discordapp.com 39->68 94 Injects a PE file into a foreign processes 39->94 47 RFQ5372837484.exe 39->47         started        96 Wscript starts Powershell (via cmd or directly) 43->96 98 Modifies the context of a thread in another process (thread injection) 43->98 100 Maps a DLL or memory area into another process 43->100 50 cmd.exe 43->50         started        signatures15 process16 signatures17 110 Modifies the context of a thread in another process (thread injection) 47->110 112 Maps a DLL or memory area into another process 47->112 114 Sample uses process hollowing technique 47->114 52 conhost.exe 50->52         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f236d3c17eddd7b270030bd19051b43c8827af7925336611d0569e73c9b058b9/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 05:28:05 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6i3nhql63xl3e4adbpizaunuhsecpl3zeuzwmeoqk2phhsnqlc4q._file
Verdict:
unknown
Similar samples:
5ae912c556f676264f800d3ab31aa932564b2dde8fae76f6dbeb8d568f92aee5
Formbook
7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217
Formbook
9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44
Formbook
ac44cb33fc3c483e92ec55e10fc93a95e2eb86ddaedd666f77aff458bcf44ab2
Formbook
cc43f37f9eb41430bbfb6f1515b65c5fd2bc7b7565701c71aa65731fdf46c288
Formbook
e04335ac94e24921533541cae7480092fc25063caa280ebe3ed5a8697af3a844
Formbook
e5a6c4d10951823971b02b5a710c7aab484fb902b1e50f563a2dfccacfab4b63
Formbook
fa36868347a2123d27edf7866bd82006c246b078c06d8138179701973caa2d15
Formbook
+ 338 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gmwg loader rat suricata
Link:
https://tria.ge/reports/210816-zeznbjt2bx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Drops startup file
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.eaglejudge.icu/gmwg/
Unpacked files
SH256 hash:
f236d3c17eddd7b270030bd19051b43c8827af7925336611d0569e73c9b058b9
MD5 hash:
f0e566e1be01b2814c127f5b9af97ea9
SHA1 hash:
f60f94d24ed8658577d9b787f5aa51d290390dc9
Link:
https://www.unpac.me/results/14af4ac6-9995-4933-bb56-7789b7846cc8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f236d3c17eddd7b270030bd19051b43c8827af7925336611d0569e73c9b058b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f236d3c17eddd7b270030bd19051b43c8827af7925336611d0569e73c9b058b9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/179411/

Comments