MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2e67fd733ca7d4c22f1bda695c89d4a3f8ddb4dbfd7afb7b2ee22dcb81bce47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2e67fd733ca7d4c22f1bda695c89d4a3f8ddb4dbfd7afb7b2ee22dcb81bce47
SHA3-384 hash: e58da77f5a1891b7c872388980c53440b317d8169cdade2113116cc028e7c77797431cc28dc766eae659879403aaaee0
SHA1 hash: cf5ec8533d0fde495da50c5b4dfa513f4b1f3552
MD5 hash: 73108e333eb4aee93e604a4aa08407e7
humanhash: lactose-fanta-glucose-mexico
File name:EB94D7mept3gdSh.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:960'000 bytes
First seen:2021-07-14 05:57:52 UTC
Last seen:2021-07-14 06:47:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5vzIC6P/2erNls9XOd4+QCo99p39aDON5FLwn/kBKc/YliS/UQaHdAB72Kx9kjMm:5vQ+99pta61EnSBQ6QiB2GtweOFmt
Threatray 6'619 similar samples on MalwareBazaar
TLSH T1E6155A6823BDD608EE32EB3C9F64A6449EB67AF5523DDC0D1C8421476833D46ADE6C31
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EB94D7mept3gdSh.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 05:59:33 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7576c19c-57bd-49c5-a9f7-ffb80933f904

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171555/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Noon.lc.5910.25025.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d576d25-99d6-4cbe-8b78-8b5e36bb949a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816006
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448417 Sample: EB94D7mept3gdSh.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 32 www.corruptoefrenmartinez.com 2->32 34 www.beevenomoil.com 2->34 36 corruptoefrenmartinez.com 2->36 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 8 other signatures 2->54 11 EB94D7mept3gdSh.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\...B94D7mept3gdSh.exe.log, ASCII 11->30 dropped 68 Tries to detect virtualization through RDTSC time measurements 11->68 70 Injects a PE file into a foreign processes 11->70 15 EB94D7mept3gdSh.exe 11->15         started        signatures6 process7 signatures8 72 Modifies the context of a thread in another process (thread injection) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Sample uses process hollowing technique 15->76 78 Queues an APC in another process (thread injection) 15->78 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.9066985.com 119.28.128.107, 49744, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 18->38 40 www.jane-woolrich.net 94.136.40.51, 49737, 80 GD-EMEA-DC-LD5GB United Kingdom 18->40 42 16 other IPs or domains 18->42 56 System process connects to network (likely due to code injection or exploit) 18->56 58 Performs DNS queries to domains with low reputation 18->58 22 colorcpl.exe 12 18->22         started        signatures11 process12 dnsIp13 44 www.officeactivate.xyz 22->44 46 officeactivate.xyz 22->46 60 Performs DNS queries to domains with low reputation 22->60 62 Modifies the context of a thread in another process (thread injection) 22->62 64 Maps a DLL or memory area into another process 22->64 66 Tries to detect virtualization through RDTSC time measurements 22->66 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2e67fd733ca7d4c22f1bda695c89d4a3f8ddb4dbfd7afb7b2ee22dcb81bce47/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 04:37:56 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lth7vztzj6uyixrxwtjlse5ji7y3w2nx7l27n5s5yrnzoa3zzdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04df6344497e9d1c321f32b61df87db549d179c6c66c3bf0b2cc7f6b1510040d
Formbook
228f0e866b6580e0799a21147d9fbf4d6e56a5b89b9b68dcb29ca4d15d18f484
Formbook
52208fdea02024ab93aebbc72f62d3b105644d5afcb4d8de494f001f87a03a9d
Formbook
57ecabd6b2969a1414a3ed8b756dbfec03f6773b61c988d3e434c05f3023e590
Formbook
5ec36ac5ba843f29bb0dc75d7d527ab9cee34a681bad704a89fd5ed12cdea337
Formbook
62d66df21fe7d278b6a58b45fcd4a05b6b51c47eaac1d0f5c7acd532748ca9be
Formbook
660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f
Formbook
8241caa4d6c5a09290864492d19dee143f0f80074d370135c0f91bad01c16ee3
Formbook
a6b7f7cc0b732bd64663fc8c69b3d88a155a2fbf6e0c0857435cb277d86e2e80
Formbook
d337cba627486e1f99e4a96407591609d888c6656a4010b88047e7cd1ab19482
Formbook
+ 6'609 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210714-p27mm1hefn/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.designsbynandini.com/fznn/
Unpacked files
SH256 hash:
0c8124704d26c2c0065f1f2fd24384b2a44ca1512c56c49fa52e84aed2233527
MD5 hash:
b79f4bc90e22dc6b9fa3459809e8e720
SHA1 hash:
91d1f8f982b03ccb6d984c51fb19b6d0692514ce
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6f443d04-6232-4ec6-9248-9c40c330c535/
Parent samples :
f2e67fd733ca7d4c22f1bda695c89d4a3f8ddb4dbfd7afb7b2ee22dcb81bce47
829b0cf5a06a20d2a4ff31190f56d23ddc994ff8807bd12feebecc255afb0160
5accccfe8695d78110cc9c27d79d56ac280879a0d874bb46c42c2a8baf7fe972
1cd93c07c439d16266f2276b1f38c53b57cd0de59490b6857044eda8abe78c01
9f019f0bf99f5d64605c844792ed965f8be65b9378404c8792311ba56edd83cc
e4f6934778af90c9743606ba732f32121601a3b227f5e881eba31595e67a8a05
cff84e417e1483abc23bd1ff30bac2fda21a4e80f4dcc210130e3157a42299d2
16cb5d00387369fa2bb69b16f39a62cd4dc4557324ac4202f466be7f6bec27d8
SH256 hash:
13e3aca2d328582e46d65f8d838e33f4024425e2e13e77ee1b3d0f8d16103309
MD5 hash:
bf5b133247197e946576cf3f9bd429b6
SHA1 hash:
a28197dcaddf163335d23740dedc927d8d2a74e1
Link:
https://www.unpac.me/results/6f443d04-6232-4ec6-9248-9c40c330c535/
SH256 hash:
4752639057b2e72f8285d973d13ef88841314b1fd72705630249b559abefb277
MD5 hash:
5f560cb234823b79e7be8e499b458697
SHA1 hash:
a02e02066a0440628236a65173953473ec8b98f8
Link:
https://www.unpac.me/results/6f443d04-6232-4ec6-9248-9c40c330c535/
SH256 hash:
489c5a4dc809cc782b9dff93ede88b510886c584e9584b6428a73271118a2d82
MD5 hash:
275527356ec4512733bfc4eae62e4a2f
SHA1 hash:
27b385e96a6927e02f7f408867874bfca689b6e2
Link:
https://www.unpac.me/results/6f443d04-6232-4ec6-9248-9c40c330c535/
SH256 hash:
f2e67fd733ca7d4c22f1bda695c89d4a3f8ddb4dbfd7afb7b2ee22dcb81bce47
MD5 hash:
73108e333eb4aee93e604a4aa08407e7
SHA1 hash:
cf5ec8533d0fde495da50c5b4dfa513f4b1f3552
Link:
https://www.unpac.me/results/6f443d04-6232-4ec6-9248-9c40c330c535/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/f2e67fd733ca7d4c22f1bda695c89d4a3f8ddb4dbfd7afb7b2ee22dcb81bce47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f2e67fd733ca7d4c22f1bda695c89d4a3f8ddb4dbfd7afb7b2ee22dcb81bce47

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/171555/

Comments