MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f35e37b873cb4bee71eab9a5caa6bc7bcb592d84b7924e83ec00a5c9058eb03b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f35e37b873cb4bee71eab9a5caa6bc7bcb592d84b7924e83ec00a5c9058eb03b
SHA3-384 hash: 04da6c8aabca5f29cb4ba316f17a3b6029813f20deec64a44db8ecd943b391556adbf43be8fedc1aef5d0ba3fcaac9c5
SHA1 hash: 5a3a7e4891e4e24c5d3dacd58fcc6b8ccc02cda5
MD5 hash: 1bbc9d68daddfbdb240d292ad00c3a50
humanhash: enemy-connecticut-stairway-magnesium
File name:1bbc9d68daddfbdb240d292ad00c3a50.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:797'184 bytes
First seen:2021-09-20 17:56:00 UTC
Last seen:2021-09-20 17:56:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:T5MTdPKMHasmtiK5oyZPHoUFTChoUVmMSU22v9KlSb+ASN:iNx+FoUI4C2UaU2xRN
Threatray 9'458 similar samples on MalwareBazaar
TLSH T181059EC17D47D89BF4DF2AF3986FC12011646E9D9161C73D2682BA2B55F331230ABA4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LSP18048.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-20 15:33:57 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/c23fb3a5-80c3-4699-9f40-22898c9cb700

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189553/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FPE.genEldorado.8510.2544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3753f0ef-8d6e-44a1-b76a-6e1a4099d113
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854377
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486807 Sample: 7gtmJh7WTh.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 35 www.sakudata.com 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 8 other signatures 2->49 11 7gtmJh7WTh.exe 4 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\7gtmJh7WTh.exe.log, ASCII 11->33 dropped 61 Adds a directory exclusion to Windows Defender 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 7gtmJh7WTh.exe 11->15         started        18 powershell.exe 24 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 37 www.sppradar.com 20->37 39 www.god-gym.com 20->39 41 5 other IPs or domains 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 26 rundll32.exe 20->26         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 26->53 55 Modifies the context of a thread in another process (thread injection) 26->55 57 Maps a DLL or memory area into another process 26->57 59 Tries to detect virtualization through RDTSC time measurements 26->59 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f35e37b873cb4bee71eab9a5caa6bc7bcb592d84b7924e83ec00a5c9058eb03b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 15:43:57 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03735650255866b1c2592bcb4567cbcb2b9d23eea5430d2e7d7c6315abadb5ad
Formbook
1ba55b6d19b202f0a3fa11a7122a210ed0041074bf30fc754bbc87c1a793304b
Formbook
23cc105fad71d71dced93e63fdbab55354b4dc9700fb0de855acedaf5723ed9c
Formbook
3643c16e7017696ca2809399d3edbf2f7f7298e4ef3246951fac256e86176716
Formbook
4311e97e616734f94d1aa4d38f37679749ae84513d132aee134fbc364d25b6ec
Formbook
7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
b8ae452aae57b904e1058a00c0a22dc8c9fa86e5b042d7fe5c812f724b7531a6
Formbook
ebe1f420ea3fcef5b426cf6458d23984e12c4ceb5983571699f60aaa963b159a
Formbook
f547d8d44d91b4d09f1323857e573c31a8cb0fb1ed949cc0f8c90f6ea807b23c
Formbook
+ 9'448 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:utrf loader rat
Link:
https://tria.ge/reports/210920-wh1yvsefh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.xiaohe-jiankang.com/utrf/
Unpacked files
SH256 hash:
8853648e8b109fffd20c1a6fe89c931d0142264eb055a9ed3c1b77b4d9288746
MD5 hash:
1153ad77d2b2d67520f52ef9077697a6
SHA1 hash:
8560e6bb2891602d29780ea12d66607ae39062ad
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ff84c247-1329-438b-8cad-0299b76b834b/
SH256 hash:
e2f7416da6b87660d7b6384d151ef3736e7303decff98a94f9c4fa59b36638f7
MD5 hash:
640cd1eaed93e537b2476a749cb1fe37
SHA1 hash:
f756024b9c03293029f7cb0c02efefa6bc1a6f10
Link:
https://www.unpac.me/results/ff84c247-1329-438b-8cad-0299b76b834b/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/ff84c247-1329-438b-8cad-0299b76b834b/
SH256 hash:
fd1ef223e319a335e62fb040b9819a1ab5e2648c78984f22e8ea235cbea5b8c7
MD5 hash:
97d124f3a1abd3404661b172540d41b4
SHA1 hash:
61ad31af293cd57f2163fcbe109f6d2ad4b57d4c
Link:
https://www.unpac.me/results/ff84c247-1329-438b-8cad-0299b76b834b/
SH256 hash:
f35e37b873cb4bee71eab9a5caa6bc7bcb592d84b7924e83ec00a5c9058eb03b
MD5 hash:
1bbc9d68daddfbdb240d292ad00c3a50
SHA1 hash:
5a3a7e4891e4e24c5d3dacd58fcc6b8ccc02cda5
Link:
https://www.unpac.me/results/ff84c247-1329-438b-8cad-0299b76b834b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f35e37b873cb4bee71eab9a5caa6bc7bcb592d84b7924e83ec00a5c9058eb03b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f35e37b873cb4bee71eab9a5caa6bc7bcb592d84b7924e83ec00a5c9058eb03b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1636061/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189553/

Comments