MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6
SHA3-384 hash: c7bd4f400919d43868b894051b7fdc6f5225f853963fc3f9ad1467d1d06d596cbedcc65e353f766b78a02b2b03bafd7d
SHA1 hash: 41f9e2ee597df731ccd379c7e2a393fbafdbf6c0
MD5 hash: cd20bbd3e19a80fa77317cd2c42facdd
humanhash: lion-uniform-august-arkansas
File name:12042021493876783,xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:779'776 bytes
First seen:2021-04-12 06:25:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23399c21b0aa604a8aa13da9702198d1 (3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:XjsnTVNRUWpHKTXa8+XBM9gN4W9t7ocLyg0c0fKRmp:XjMmMH8XEgfqFDd0fK8
Threatray 4'671 similar samples on MalwareBazaar
TLSH CBF4AE21B2D19437D12E4639ED2797EC982AFE10FE64D94A67F80C0C5F383517E6A293
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: inbox0.continental-corparation.com
Sending IP: 64.227.108.224
From: "Nataša Bukovčić" <instruments@solinst.com>
Subject: Payment Confirmation
Attachment: 12042021493876783,xlsx.iso (contains "12042021493876783,xlsx.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12042021493876783,xlsx.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 06:41:12 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/4a4a0704-1ea2-49c6-9733-1b74430d6360

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133654/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/672547
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385222 Sample: 12042021493876783,xlsx.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 73 www.kizunaservice.com 2->73 121 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->121 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 6 other signatures 2->127 12 12042021493876783,xlsx.exe 1 25 2->12         started        signatures3 process4 dnsIp5 81 wprhwa.dm.files.1drv.com 12->81 83 onedrive.live.com 12->83 85 dm-files.fe.1drv.com 12->85 67 C:\Users\Public67etplwiz.exe, PE32+ 12->67 dropped 69 C:\Users\Public69ETUTILS.dll, PE32+ 12->69 dropped 71 C:\Users\Public\Libraries\Dhiuyy\Dhiuyy.exe, PE32 12->71 dropped 147 Drops PE files to the user root directory 12->147 149 Writes to foreign memory regions 12->149 151 Creates a thread in another existing process (thread injection) 12->151 153 Injects a PE file into a foreign processes 12->153 17 secinit.exe 12->17         started        20 cmd.exe 1 12->20         started        file6 signatures7 process8 signatures9 113 Modifies the context of a thread in another process (thread injection) 17->113 115 Maps a DLL or memory area into another process 17->115 117 Sample uses process hollowing technique 17->117 119 2 other signatures 17->119 22 explorer.exe 4 17->22 injected 26 cmd.exe 5 20->26         started        29 conhost.exe 20->29         started        process10 dnsIp11 75 www.werealestatephotography.com 35.208.69.149, 49755, 80 GOOGLE-2US United States 22->75 77 www.lboclkchain.com 185.178.208.160, 49730, 80 DDOS-GUARDRU Russian Federation 22->77 79 10 other IPs or domains 22->79 129 System process connects to network (likely due to code injection or exploit) 22->129 31 Dhiuyy.exe 16 22->31         started        35 Dhiuyy.exe 16 22->35         started        37 msdt.exe 22->37         started        39 wlanext.exe 22->39         started        63 C:\Windows \System3263etplwiz.exe, PE32+ 26->63 dropped 65 C:\Windows \System3265ETUTILS.dll, PE32+ 26->65 dropped 131 Drops executables to the windows directory (C:\Windows) and starts them 26->131 41 Netplwiz.exe 26->41         started        43 conhost.exe 26->43         started        file12 signatures13 process14 dnsIp15 87 192.168.2.1 unknown unknown 31->87 89 wprhwa.dm.files.1drv.com 31->89 97 2 other IPs or domains 31->97 99 Multi AV Scanner detection for dropped file 31->99 101 Writes to foreign memory regions 31->101 103 Creates a thread in another existing process (thread injection) 31->103 45 logagent.exe 31->45         started        91 wprhwa.dm.files.1drv.com 35->91 93 onedrive.live.com 35->93 95 dm-files.fe.1drv.com 35->95 105 Injects a PE file into a foreign processes 35->105 48 dialer.exe 35->48         started        107 Modifies the context of a thread in another process (thread injection) 37->107 109 Maps a DLL or memory area into another process 37->109 111 Tries to detect virtualization through RDTSC time measurements 37->111 50 cmd.exe 37->50         started        52 cmd.exe 1 41->52         started        signatures16 process17 signatures18 135 Modifies the context of a thread in another process (thread injection) 45->135 137 Maps a DLL or memory area into another process 45->137 139 Sample uses process hollowing technique 45->139 141 Tries to detect virtualization through RDTSC time measurements 48->141 54 conhost.exe 50->54         started        143 Suspicious powershell command line found 52->143 145 Adds a directory exclusion to Windows Defender 52->145 56 powershell.exe 26 52->56         started        59 conhost.exe 52->59         started        process19 signatures20 133 DLL side loading technique detected 56->133 61 conhost.exe 56->61         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 06:09:19 UTC
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kq3jd4cecgt2g7u4yj727dkc33dzfxlwlbr5vic5rt4wz3iwl3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e1ec8c0b16042cc5f4e0c137f3939aa3e4a47096b32f1c2d41baf1a0d9aa177
Formbook
38b6a40d2eeddf38695294c57971fc2efab81fea95100260a2003baa13616b83
Formbook
6657aeabd5ded830361aad9112749d785fc0fbe46121daeb7acb23cd841274ed
Formbook
7ec78d6c2c919a22185cb0000f2e273d66019b8409a3ca47c819d44cedead22e
Formbook
86071c5800d553ea0cac697f9188a7b592aa9336bf59302545b14aed8b13ce11
Formbook
8d96cdba8c8ac7896773c03f0ab27a5cebe912d9cc6614fda1e149191fc6a7c7
Formbook
96bd9ed85e93c31a337a92e99fd6e1966f68f1a28fef43a21da725c36405988c
Formbook
b2697b1c939e346a4adcf8ed2cb4a0e493f2390a54a0457c95fea5485c2fa19b
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
eb275e1b98fd92888969871af8e7fca0673da25cb476ac4f77303b4b2d0a98ce
Formbook
+ 4'661 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader persistence rat
Link:
https://tria.ge/reports/210412-bxpnq17ehx/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.werealestatephotography.com/hw6d/
Unpacked files
SH256 hash:
31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9
MD5 hash:
406f0b9cc6dacbdd1b715c557b941343
SHA1 hash:
77387463c87215e20a8592430665820cbb146660
Link:
https://www.unpac.me/results/1a49acf7-c1b5-4375-9354-c2e90ea8ad26/
SH256 hash:
f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6
MD5 hash:
cd20bbd3e19a80fa77317cd2c42facdd
SHA1 hash:
41f9e2ee597df731ccd379c7e2a393fbafdbf6c0
Link:
https://www.unpac.me/results/1a49acf7-c1b5-4375-9354-c2e90ea8ad26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso acee640096f7e141ca83e9640c50a69b378059dd92a786c2374d97848da7cd49

Formbook

Executable exe f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6

(this sample)

  
Dropped by
MD5 de09c3fb28d3c6947ab804ce2b789aa2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133654/
  
Dropped by
SHA256 acee640096f7e141ca83e9640c50a69b378059dd92a786c2374d97848da7cd49

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 15:27:16 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [B0012.001] Anti-Static Analysis::Argument Obfuscation
4) [F0002.002] Collection::Polling
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [E1510] Impact::Clipboard Modification
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0038] Process Micro-objective::Create Thread
16) [C0041] Process Micro-objective::Set Thread Local Storage Value
17) [C0018] Process Micro-objective::Terminate Process