MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
SHA3-384 hash: 6bbdaaf57bb42b44a75d474a685ea76684a923e8b267a5f25e313e3c07455773c7436162c9f96d2c734d4cea4de082f7
SHA1 hash: 4201eb7214bd3658889739e4856412b8063e0405
MD5 hash: fff91c58119d3cd7f68457e8565f7116
humanhash: dakota-nevada-hotel-fifteen
File name:TT_SWIFT_Export Order_noref S10SMG00318021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:669'184 bytes
First seen:2021-11-25 16:28:51 UTC
Last seen:2021-11-26 06:38:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:vCs0Vr2RpOtM9jWo4jS49MAr38GIXixBFm7XWABfGlW:qs0VCRgtMYo4jbMAr3MXi1DgfGw
Threatray 9'700 similar samples on MalwareBazaar
TLSH T19AE4BF207A181183D68F89F2288E81A6D765B928F345DD0F33D0BD3DC5AA6F04E5E5ED
File icon (PE):PE icon
dhash icon b2bec096ac968682 (15 x AgentTesla, 5 x Formbook, 3 x AveMariaRAT)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT_SWIFT_Export Order_noref S10SMG00318021.exe
Verdict:
Malicious activity
Analysis date:
2021-11-25 16:29:56 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/986938e7-58e3-4128-a7e5-a460757b62ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed strictor
Link:
https://www.filescan.io/uploads/619fb9d1f36138de3f3cc0a4/reports/2d6b64e0-7020-4b63-a236-cb6da0969d8e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55df328e-d7ff-4910-bb54-e52740ded24f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896226
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528704 Sample: TT_SWIFT_Export Order_noref... Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 39 www.oki-net.com 2->39 41 www.elderlycareacademy.com 2->41 43 webredir.vip.gandi.net 2->43 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 14 other signatures 2->57 8 TT_SWIFT_Export Order_noref S10SMG00318021.exe 6 2->8         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\AnsPejV.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\Temp\tmp3FD.tmp, XML 8->37 dropped 67 Adds a directory exclusion to Windows Defender 8->67 12 TT_SWIFT_Export Order_noref S10SMG00318021.exe 8->12         started        15 powershell.exe 23 8->15         started        17 powershell.exe 25 8->17         started        19 schtasks.exe 1 8->19         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 12->69 71 Maps a DLL or memory area into another process 12->71 73 Sample uses process hollowing technique 12->73 75 Queues an APC in another process (thread injection) 12->75 21 help.exe 12->21         started        24 explorer.exe 12->24 injected 27 autochk.exe 12->27         started        29 conhost.exe 15->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        process9 dnsIp10 59 Modifies the context of a thread in another process (thread injection) 21->59 61 Maps a DLL or memory area into another process 21->61 63 Tries to detect virtualization through RDTSC time measurements 21->63 45 www.wamhsh.com 156.226.250.165, 49782, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 24->45 47 www.aarondecker.online 209.17.116.163, 49786, 80 DEFENSE-NETUS United States 24->47 49 7 other IPs or domains 24->49 65 System process connects to network (likely due to code injection or exploit) 24->65 signatures11
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 11:05:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7danhbpm5consjvsy5dibqbw7gjhifevlz77j3iswv3eoc4mc5cq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
17c15779e354a3ab07ababa6df6eea95a31d04dbebd7f981424995d4194b9eaf
Formbook
2d8c309657fab94b3ff5f82de799ceee9a059a06792158e03903c39a32ee780e
Formbook
2fdb4786a7989663dd0873cd19eefcdb4a5bdc1dfe3d870c41da43b35cf9dacd
Formbook
3905a71c3e23f4845d1201f74ac1c9c041b0254ff486a3ea4fc2bb7119631ce9
Formbook
3b5e31e4b62087dfa7cac1a39c31896d25d465c971fe1db3e9a9271471ce416d
Formbook
6b7d061085da569762cabe1387c4aed2fe6fc1bac9634429b636a020122f77aa
Formbook
6f3ddb071f889d2c41a27e1237113f333ffee0232997b95896767d354eef7df5
Formbook
7fc473e71a4cc415265c536fe6ce3333d269ae5b8b80bcaec49cfd1916b81df3
Formbook
b830b088dcc04db74fc8afbb16dcfff0134c405228be44df5d996a9a5b254bff
Formbook
e8ce5985ee1a483e58a51299ba46bb084dd61b5adc33a1c0c903bb9b31beb66d
Formbook
+ 9'690 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:46uq loader rat
Link:
https://tria.ge/reports/211125-ty8yasbbb4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.liberia-infos.net/46uq/
Unpacked files
SH256 hash:
ff1617f3a5d1c41889a9ffe448ec461bdffcc05a823d7bce53d71cd352931c28
MD5 hash:
1e8e32ce8f04d3d466b7abbc22475707
SHA1 hash:
d69f42046f5fb4f9fb6035e1238707c81a39edb5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b045991a-ea9f-43cf-9ff8-fe2954b7507f/
Parent samples :
e7f1ace8723e30320b9e8bc3dc8a079c2d82d8c58b6ef7e0810ee4f661f5f141
96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3
c36c4e9b60d516ae00051b635624267123056adbbd874b7b9f67920dcb71aada
c50fdcefdf51c648404eb54eebcb81012e2c736252e232759c7eef5fac1d5174
f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
d176de3884899e94f7c82f1ad0b21e9f305d3d5d7d753cc701a880e01d692cad
SH256 hash:
d7823ed9ee836e5d2dddd631ef42faa9b9b66f07dce0b5772cea51e19161e032
MD5 hash:
aa2e650313b520aa7dc02273323bc811
SHA1 hash:
6f40a9e61f2f8c72c1a36844cb85f47c0b4d81f1
Link:
https://www.unpac.me/results/b045991a-ea9f-43cf-9ff8-fe2954b7507f/
SH256 hash:
f6639a3b21a09ca5e9e43e10f8ac7f822956232806805252096f03f68bc9815c
MD5 hash:
aa334e922c53c5cba0b43c342ac13b14
SHA1 hash:
68109327b5e98174293bb348dfea6a088cbd5d2f
Link:
https://www.unpac.me/results/b045991a-ea9f-43cf-9ff8-fe2954b7507f/
SH256 hash:
f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
MD5 hash:
fff91c58119d3cd7f68457e8565f7116
SHA1 hash:
4201eb7214bd3658889739e4856412b8063e0405
Link:
https://www.unpac.me/results/b045991a-ea9f-43cf-9ff8-fe2954b7507f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f8c0d385ece8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/209404/

Comments