MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7031a211f3a084ce9b215e9faf438125d11cf1daf963b9ec0d994a66dee6df0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7031a211f3a084ce9b215e9faf438125d11cf1daf963b9ec0d994a66dee6df0
SHA3-384 hash: 28c80b4ab772a2c58eccd623585ef8838aed719a80a0b572be5d58f5f6f983656952377bd107110784ff2d2b75bb581d
SHA1 hash: ddac3d55f51641552e3a13ce66398320fe29ec15
MD5 hash: d362ffc6b594c617852f20b87ab4bbef
humanhash: pennsylvania-march-alanine-double
File name:d362ffc6b594c617852f20b87ab4bbef
Download: download sample
Signature Formbook
Create hunting rule
File size:504'320 bytes
First seen:2021-09-20 06:48:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:X4k4DbF53e0IUFLK5QwEz+903isUwVu09nqYeJ2VCjWiJ:COVEz+9pRiu09nqHoUii
Threatray 9'531 similar samples on MalwareBazaar
TLSH T15EB4AE243DFB5129F0B3AFB95EE074869A6FF6233A17E45D1451038A0B23B81DD9173A
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER CONFIRMATION.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-14 08:59:11 UTC
Tags:
encrypted opendir trojan exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/8bb45402-eaab-495a-a675-005d2feb7e82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189223/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25-1.UNOFFICIAL
Create hunting rule

Win.Packed.Pwsx-9893004-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c691ce20-f387-475b-9ee3-194b73dc655a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853771
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486202 Sample: Ota2Wn3EP3 Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 33 www.jrufexsh.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 9 other signatures 2->47 11 Ota2Wn3EP3.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\Ota2Wn3EP3.exe.log, ASCII 11->31 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 Ota2Wn3EP3.exe 11->15         started        18 Ota2Wn3EP3.exe 11->18         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 20 explorer.exe 15->20 injected process9 dnsIp10 35 omelhorcurso-online.com 108.179.193.173, 49854, 80 UNIFIEDLAYER-AS-1US United States 20->35 37 www.denme.net 91.195.240.94, 49855, 80 SEDO-ASDE Germany 20->37 39 13 other IPs or domains 20->39 49 System process connects to network (likely due to code injection or exploit) 20->49 24 cscript.exe 20->24         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 24->51 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f7031a211f3a084ce9b215e9faf438125d11cf1daf963b9ec0d994a66dee6df0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 12:07:40 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1575d06ca2a52c1ff60058d6fba43712c2926ecd3f640710ed8f96ec3aaf57da
Formbook
24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849
Formbook
2f36f2e2951a2540ab138afc8ac70f8bb37b83f01199434e247aa6716e1eb47a
Formbook
5ae912c556f676264f800d3ab31aa932564b2dde8fae76f6dbeb8d568f92aee5
Formbook
64550a0d3d1c28b1ec50006327a707b7287997aa7ca146153440935a033ccb97
Formbook
70e7c5966ac86d48e0519f9b2b34703d2915b603836f4de0be2a2badddd258e7
Formbook
a08bf89a7e4c15fb33684e268199df85727a6ab759a1d7f3d5ba2b7a0e49f17a
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
cc92eda0a8290172b29b51ff05fa235ffd0389fce74d0a40d0e5cc1e4af11497
Formbook
d99804145213694ea4b93c8acb43bf14d712b2043c247c703f88ebc97bf9c8d8
Formbook
+ 9'521 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nthe loader rat
Link:
https://tria.ge/reports/210920-hlb71sdbe5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.hanlansmojitovillage.net/nthe/
Unpacked files
SH256 hash:
d079cec0893abc6f920b2fbbc6855cb1e926fa8e9e8111384b069bc37c581ac1
MD5 hash:
9f4c020edaef562bb061a68f9b2c4e12
SHA1 hash:
43dfab7d93965f70a78dbb34932b2211d0e11038
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/85a6e4be-e965-4d24-845b-b61eb9a1ebee/
Parent samples :
35042592e4abe63a3a51543f2cf419f83dee5e2b44bc2d7fe33173fccd10d93a
d07dcdf05ff20a2596f795af5fb57e9c599ab0dc6dfb8d536b22dcfe502d6cf3
2ad430df48ef7060c1fa6c6c89698c95724291b314155288d5c13b5735d3837d
8b3535f44d1b9df9297fb95f8071f8488ca55c7511472b597942c779b400dbb9
1fd6624177dda187c2462dce333d623b4a1e3decb2cfe0045c382e9cdc1312f7
f7031a211f3a084ce9b215e9faf438125d11cf1daf963b9ec0d994a66dee6df0
40227b96f52a4e9a0cda9f3903a286bcbc78ae7a1138c9260c984d66f2f8dd0d
34a89eda5dd4aef3efb096011f27bba7354b4c624d5dc01f4b43a18ac42d6af4
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/85a6e4be-e965-4d24-845b-b61eb9a1ebee/
SH256 hash:
3c0344189d1c0121579b62568d84a306522ab1e4bb1febe34524267e55dc0137
MD5 hash:
e6c777c5b8734b3d6ad9451bb940dab5
SHA1 hash:
061149e420c9ff44190e25f8c629d5e370e47ae4
Link:
https://www.unpac.me/results/85a6e4be-e965-4d24-845b-b61eb9a1ebee/
SH256 hash:
f7031a211f3a084ce9b215e9faf438125d11cf1daf963b9ec0d994a66dee6df0
MD5 hash:
d362ffc6b594c617852f20b87ab4bbef
SHA1 hash:
ddac3d55f51641552e3a13ce66398320fe29ec15
Link:
https://www.unpac.me/results/85a6e4be-e965-4d24-845b-b61eb9a1ebee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/f7031a211f3a084ce9b215e9faf438125d11cf1daf963b9ec0d994a66dee6df0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f7031a211f3a084ce9b215e9faf438125d11cf1daf963b9ec0d994a66dee6df0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1634821/
Cape
Cape
https://www.capesandbox.com/analysis/189223/

Comments


Avatar
zbet commented on 2021-09-20 06:48:55 UTC

url : hxxp://103.133.106.199/msn/vbc.exe