MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
SHA3-384 hash: 6eb6137a689aacdfbecc147642191e77cc13c92f2b63da92f4e34485d7fdc935b2f92daf64df356e7de8adb8dbc51005
SHA1 hash: 064f6654f82eabb5737b076adf076ef052f34a43
MD5 hash: 14340559c381f8f7fefaa8fcea601baa
humanhash: papa-solar-lake-double
File name:SBGW#001232021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:568'832 bytes
First seen:2021-09-23 06:52:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:gwmtiK5o1kKDeOzsn6fwsRpPZkN9Of6Li1zix9:t+Fo0r61ujLYzix9
Threatray 9'515 similar samples on MalwareBazaar
TLSH T1B3C4221882BD4235CEB78BFD65A035804B75A22EF743E7C90E65B1F2DC2BBE155104AB
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SBGW#001232021.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 07:20:15 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/aa6d6d5b-21fb-4e3e-b2f9-cd49cbe587fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190584/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19df844e-211e-4921-89c6-7c1de98e8675
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856397
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488865 Sample: SBGW#001232021.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 31 www.nautilusratio.club 2->31 33 ic-54113400-0ac7b9-windowsupdate48.s.loris.llnwd.net 2->33 35 ic-54113400-0a7b2f-windowsupdate48.s.loris.llnwd.net 2->35 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 8 other signatures 2->57 10 SBGW#001232021.exe 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\...\SBGW#001232021.exe.log, ASCII 10->29 dropped 59 Writes to foreign memory regions 10->59 61 Allocates memory in foreign processes 10->61 63 Injects a PE file into a foreign processes 10->63 14 RegSvcs.exe 10->14         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 2 other signatures 14->71 17 rundll32.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 43 Modifies the context of a thread in another process (thread injection) 17->43 45 Maps a DLL or memory area into another process 17->45 47 Tries to detect virtualization through RDTSC time measurements 17->47 23 cmd.exe 1 17->23         started        37 www.olapeb.com 156.224.2.204, 49804, 80 SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK Seychelles 20->37 39 shops.myshopify.com 23.227.38.74, 49803, 80 CLOUDFLARENETUS Canada 20->39 41 8 other IPs or domains 20->41 49 System process connects to network (likely due to code injection or exploit) 20->49 25 autoconv.exe 20->25         started        signatures11 process12 process13 27 conhost.exe 23->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 02:06:50 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6z5vnraz5ksohxys25reydxqar73pstjdkei4arclsn2myior6la._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
Formbook
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
Formbook
66eaa86ebfd9a80f623d9ca307e0ba4374c56a0af202ab0833d082f92dd101a4
Formbook
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
Formbook
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
Formbook
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
Formbook
e51c60f40080414b74c2eeef62780b28aa31c7875dada6dc2097323a61cc8396
Formbook
+ 9'505 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:etaf loader rat suricata
Link:
https://tria.ge/reports/210923-hnnc3aaack/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.jingkevip.com/etaf/
Unpacked files
SH256 hash:
857d1f34774a5c7f5debe1e2a5efde128f12921247f167ba4a35a8eb6385cb47
MD5 hash:
2e649100656a063befb21d563d8da57c
SHA1 hash:
2b0683aec0553362a6f774bb26c8dd2324503fd5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ba89531e-91aa-4bc8-91ff-d426be534808/
Parent samples :
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
SH256 hash:
06ac60d3b4794de813b92113200352bbbdb9912fdf05ff84e19a244d15ba8627
MD5 hash:
3f4f203eb13cb0a710fb6e60573908f6
SHA1 hash:
ed30d8bf7de58c457bba8ef163645499c58cb43e
Link:
https://www.unpac.me/results/ba89531e-91aa-4bc8-91ff-d426be534808/
SH256 hash:
dda83b3159776ae73de8427e024c78935a569ebab77b401cc9e3feeaf4874f95
MD5 hash:
fca82be619b4231273148aee3fb18442
SHA1 hash:
bdd370029c812cbc7dfd16120361aae4311e9f6c
Link:
https://www.unpac.me/results/ba89531e-91aa-4bc8-91ff-d426be534808/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/ba89531e-91aa-4bc8-91ff-d426be534808/
SH256 hash:
f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
MD5 hash:
14340559c381f8f7fefaa8fcea601baa
SHA1 hash:
064f6654f82eabb5737b076adf076ef052f34a43
Link:
https://www.unpac.me/results/ba89531e-91aa-4bc8-91ff-d426be534808/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 57fe8740462017542aab820e51058f7e572afb2f0f768f0be972d4ce4c7790d6

Formbook

Executable exe f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 57fe8740462017542aab820e51058f7e572afb2f0f768f0be972d4ce4c7790d6
Cape
Cape
https://www.capesandbox.com/analysis/190584/

Comments