MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518
SHA3-384 hash: 2a87421ac5ef8cb73d15ffceb9db8f43ccf432f2358f26e01febecb2cea60f2ff4d91d3cbbcbba3b569fc70afe911b5c
SHA1 hash: d6348309083c3f15fc0158a3a57534c88b71706a
MD5 hash: 19465536d631611e809784cf92d5f3dc
humanhash: triple-echo-wisconsin-mike
File name:COMPUTATION DOC.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:949'760 bytes
First seen:2023-01-25 06:57:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:X+X+77kQ97VqVEnUn6qtIhMTmKC8JS4qQbX4TX3zm8FUzW/Eggzx00/wl2HfI6aZ:X+X+79bqSKIKTpC8JxBbEzmxzJA6AL
TLSH T15B157BE1435D99F9F9A51F3516293D1862A66C8BC7B0D02DBE4B743F94F528A00F83E2
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 6b4b346153455121 (9 x Formbook)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
COMPUTATION DOC.exe
Verdict:
Malicious activity
Analysis date:
2023-01-25 06:58:17 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/0e81d978-6a01-4068-be95-8c8cf2018c94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356627/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed phishing
Link:
https://www.filescan.io/uploads/63d0d2fb2d4f6d560e22d2b8/reports/9b5fdc91-7cfc-4fff-89fb-68d7b3329ffe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfcca649-30f6-44d0-ad01-47084f70e27d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158503
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 791240 Sample: COMPUTATION DOC.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 67 www.mycrystallampshop.com 2->67 69 mycrystallampshop.com 2->69 81 Snort IDS alert for network traffic 2->81 83 Multi AV Scanner detection for domain / URL 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 13 other signatures 2->87 11 COMPUTATION DOC.exe 7 2->11         started        15 irLVvlIoa.exe 5 2->15         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\irLVvlIoa.exe, PE32 11->53 dropped 55 C:\Users\...\irLVvlIoa.exe:Zone.Identifier, ASCII 11->55 dropped 57 C:\Users\user\AppData\Local\...\tmp9139.tmp, XML 11->57 dropped 59 C:\Users\user\...\COMPUTATION DOC.exe.log, ASCII 11->59 dropped 95 Adds a directory exclusion to Windows Defender 11->95 17 COMPUTATION DOC.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        97 Multi AV Scanner detection for dropped file 15->97 99 Machine Learning detection for dropped file 15->99 101 Tries to detect virtualization through RDTSC time measurements 15->101 103 Injects a PE file into a foreign processes 15->103 24 irLVvlIoa.exe 15->24         started        26 schtasks.exe 1 15->26         started        28 irLVvlIoa.exe 15->28         started        30 irLVvlIoa.exe 15->30         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 17->71 73 Maps a DLL or memory area into another process 17->73 75 Sample uses process hollowing technique 17->75 77 Queues an APC in another process (thread injection) 17->77 32 explorer.exe 1 17->32 injected 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 26->40         started        process9 dnsIp10 61 www.ovalwriters.com 74.220.199.6, 49696, 80 UNIFIEDLAYER-AS-1US United States 32->61 63 www.amtqu.com 156.232.189.82, 49695, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 32->63 65 www.4mtbank.com 32->65 79 System process connects to network (likely due to code injection or exploit) 32->79 42 colorcpl.exe 32->42         started        45 cscript.exe 32->45         started        47 autochk.exe 32->47         started        signatures11 process12 signatures13 89 Modifies the context of a thread in another process (thread injection) 42->89 91 Maps a DLL or memory area into another process 42->91 93 Tries to detect virtualization through RDTSC time measurements 42->93 49 cmd.exe 42->49         started        process14 process15 51 conhost.exe 49->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 14:45:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
26 of 39 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kubh3k5thrgh4ukbojcjlq5j5eewydmvm3taw2wy5nhbt7tcuma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ci07 rat spyware stealer trojan
Link:
https://tria.ge/reports/230125-hrgppagh2z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
df140d439eac7c6b3d92b93f099289a3c5aab8bb2700f76e96fe3cf1a5896c56
MD5 hash:
344610dcf21c8e20223b966898b761fe
SHA1 hash:
d4f36442fd63c9dbb8d70b6bf3f6dc06d2f6dfd5
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a018481b-f9b1-4d0d-8e4f-e88c6bfd3876/
Parent samples :
901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53
794ff32dcb5a26819bea2fa85f82ee36dae53a5d6a6d2e42790801bfb018cda7
8cde8e6a8021c1d4d221179126d6fdd2a2a20a2b24f57fc20202f86640350f96
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354
9d6d28627c34f8d225dde0a78d27418d461ea3a35e6bc4afa0f50e9cb8bc1b21
94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
8ac5dceeed786e06a01cec7ce9d550a0f48c50511ad81db887c69fd5d720ff3e
a78e65c599449ae8f781711a5b432c95fd1c7ebbb4bb1c9353087e79b62f6489
59fe1ecfcc9a304108971209bdd1656f033bf0ef51744babf253394d58b10bbc
f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518
SH256 hash:
1c0072bd0c8fbf0e27d145a0ee7e34428936c2ddeba929d3f60e352891e7e0c6
MD5 hash:
b2d0625c46714e40a6a38238659ea9ed
SHA1 hash:
dc43d5d539eab67b7e3109d0e4894e099a1a18f8
Link:
https://www.unpac.me/results/a018481b-f9b1-4d0d-8e4f-e88c6bfd3876/
SH256 hash:
be5fb82b8f5e4cfb9c01ec259f6a69c79ddb0b864c8a0f267d45b667d2a04e1e
MD5 hash:
144a9bb93fe9d7801dd608ae8836ba11
SHA1 hash:
4b448d3f714c94f7388170a8024c901702a40808
Link:
https://www.unpac.me/results/a018481b-f9b1-4d0d-8e4f-e88c6bfd3876/
SH256 hash:
a6a52a8b5ad7be5ba07d9f9962ba48534eabc134a6f87bc13b0c8ab02414c284
MD5 hash:
3959322ceeb62aeef290c332e1a3194b
SHA1 hash:
1349c5dff6ed1912be7c0baa0492ae1acfef4085
Link:
https://www.unpac.me/results/a018481b-f9b1-4d0d-8e4f-e88c6bfd3876/
SH256 hash:
fa73579f87ffd2f2e78d89b5e890a8aeeac7e5670f23b54ac08b1f993631c996
MD5 hash:
be0529caea365254307907e4645eb3cb
SHA1 hash:
06d94b2da857cb804f6794dfdd234d62b36a634b
Link:
https://www.unpac.me/results/a018481b-f9b1-4d0d-8e4f-e88c6bfd3876/
SH256 hash:
f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518
MD5 hash:
19465536d631611e809784cf92d5f3dc
SHA1 hash:
d6348309083c3f15fc0158a3a57534c88b71706a
Link:
https://www.unpac.me/results/a018481b-f9b1-4d0d-8e4f-e88c6bfd3876/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2a813ed5d99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/356627/

Comments