MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f239a57a44872a5cc2f4facc6b62acb8ea45c39f2bad517991ca52a682c46d91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f239a57a44872a5cc2f4facc6b62acb8ea45c39f2bad517991ca52a682c46d91
SHA3-384 hash: df95b088e51155c02bb905fea1c7510a975ce05db5057fbde6bb9dabafc24e07704cfca63e7f84a2de66c0c0e5d0d3b6
SHA1 hash: 14517c2ba7067cb38c1ac72b8e5a233b99c7c027
MD5 hash: 2d62a576455944093dc04108394a9a14
humanhash: october-butter-high-beryllium
File name:2d62a576455944093dc04108394a9a14
Download: download sample
Signature Formbook
Create hunting rule
File size:967'168 bytes
First seen:2022-04-25 17:08:04 UTC
Last seen:2022-04-25 17:38:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:9QbrlFjaqE8NWljbxeYG3E1Q8wEah/UMZklQiXPMeiaeq+8mMt:9QrlFGDjbxeYG3yRQtiQdaeq+8my
Threatray 15'118 similar samples on MalwareBazaar
TLSH T14C25AD867624DA8EC47065F89F81EE741A201EFE8A7141E574C22F7B79EE7C1B9013E1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00525232c8cc2408 (10 x Formbook, 4 x RedLineStealer, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266512/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.1480.26685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/6266d587de94014db626243b/reports/8cf81e57-964b-4c6f-b21d-6732150bab32/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/179ddebf-4f87-4e8b-aaac-0ed299700b7a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982626
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 615109 Sample: x6qS6QI9s2 Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 31 www.rejection.xyz 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 11 x6qS6QI9s2.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\x6qS6QI9s2.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 61 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->61 15 x6qS6QI9s2.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 33 shops.myshopify.com 23.227.38.74, 49719, 80 CLOUDFLARENETUS Canada 18->33 35 www.shoponly7seconds.com 18->35 37 4 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f239a57a44872a5cc2f4facc6b62acb8ea45c39f2bad517991ca52a682c46d91/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 17:09:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b547b6fbd2328c64aab9806e3617ec953098db3af45a2546697d9ca7ee838c9
Formbook
4cfa2754f65c5621cec77a0804c28092191f5d2993a49c40312c940fe2ef08c3
Formbook
68bdffe460b6b63619a94c667eed5e81ec779aa96edc78ecfdc7bd232ff37e98
Formbook
7c88273247fcb72cc63b4153e079d0b034f9065ca14c4918e1519773ca27144b
Formbook
99bb3d1c9a2a4dad6465a81df1008b91f5836e51ce0463da76b31f9758dd9b62
Formbook
9afa5a53a2f68b1eb6dcc22a14b1b23e03b02da4a5501d7e7cbcb0a4d694f55d
Formbook
ab16df3a8883b6049c041dfb010de4ca1ff8ef1ff598c46b9395833b52f78f83
Formbook
e07c12a4c17554763b40b0ca410493875bbdd907bc8ba261a732d935e015f852
Formbook
+ 15'108 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:c0a7 loader rat
Link:
https://tria.ge/reports/220425-vn4fhahabn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
544af89ae56d67b36786c472ffd21aacbeb71d4d268358bbefc8c01003a8f7ec
MD5 hash:
0b6f9d724234fa2e61a6bf386779aa21
SHA1 hash:
dd3eb5f83bf534edb8aefacd88e47751db8901ac
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6b508985-9752-4f8f-a719-de8fffe7c419/
Parent samples :
9afa5a53a2f68b1eb6dcc22a14b1b23e03b02da4a5501d7e7cbcb0a4d694f55d
f239a57a44872a5cc2f4facc6b62acb8ea45c39f2bad517991ca52a682c46d91
8cfbf18a6d4b171e8bec81b40716b9214e4aec1246319dff997363dc67432a4e
SH256 hash:
09cd3bc420c8982190990a9673b58c3ab01e933dff0881f1e521d3316f1b9a6b
MD5 hash:
6933707e111286a128ad0f7fa298153f
SHA1 hash:
d1121c8bed634e9684727e8c0aad3f597b0749ad
Link:
https://www.unpac.me/results/6b508985-9752-4f8f-a719-de8fffe7c419/
SH256 hash:
bba5a1199abcb6c98d5e1368a6d5faef85371ac831a434dc26b8fb0442ccbf58
MD5 hash:
8b4727ace2d8c205492fd57505e5572b
SHA1 hash:
cf06ba31fbd24da273c210766fabe651846730e1
Link:
https://www.unpac.me/results/6b508985-9752-4f8f-a719-de8fffe7c419/
SH256 hash:
27ca288e35ec7e95db59767459dd78e5915c8a43c15be7738ca9dcefdbb5d97e
MD5 hash:
d76e4992b9763574047a2ff87e5a07df
SHA1 hash:
86e82ec1ff1efae6bc93e348166c32e9fdb3380f
Link:
https://www.unpac.me/results/6b508985-9752-4f8f-a719-de8fffe7c419/
SH256 hash:
f239a57a44872a5cc2f4facc6b62acb8ea45c39f2bad517991ca52a682c46d91
MD5 hash:
2d62a576455944093dc04108394a9a14
SHA1 hash:
14517c2ba7067cb38c1ac72b8e5a233b99c7c027
Link:
https://www.unpac.me/results/6b508985-9752-4f8f-a719-de8fffe7c419/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f239a57a4487/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f239a57a44872a5cc2f4facc6b62acb8ea45c39f2bad517991ca52a682c46d91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb2
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f239a57a44872a5cc2f4facc6b62acb8ea45c39f2bad517991ca52a682c46d91

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2163853/
Cape
Cape
https://www.capesandbox.com/analysis/266512/

Comments


Avatar
zbet commented on 2022-04-25 17:08:05 UTC

url : hxxp://51.178.236.134/draft/winlogon.exe