MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e
SHA3-384 hash: b6d53a34a7059d6770a9f8dabe07ec5b730c98498acf4b76197c2945720f19da7cc2d5b28c286b6f6eacfaf7c87469c9
SHA1 hash: 526b740fdf0c8d3d16de1cbe6fc687719a6c2814
MD5 hash: 980c080857ff5a30b52a62d8649042da
humanhash: mockingbird-floor-oklahoma-three
File name:980c080857ff5a30b52a62d8649042da
Download: download sample
Signature Formbook
Create hunting rule
File size:330'240 bytes
First seen:2021-10-26 13:18:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:zAGjpN2hFNrsRnvV/KloM3lkrEBGG5eR2IdOrw3zR2gQSQ6:p32hnsa+EfIdOKRfQS
Threatray 10'827 similar samples on MalwareBazaar
TLSH T10364125C4AECD73AEBBE277A109005D8237A62253512F75D8F1930E56F73F028875A8B
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200243/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1085.7308.12482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61780048db358dd15edc97f6/reports/788214fa-7c26-47b7-be4e-a9d24f1937b0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7344d13-ec25-41ea-aea5-9481389c22bb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877032
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 509467 Sample: Wq9FLAFuS8 Startdate: 26/10/2021 Architecture: WINDOWS Score: 100 29 www.wodemcil.com 2->29 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 10 Wq9FLAFuS8.exe 3 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\Wq9FLAFuS8.exe.log, ASCII 10->27 dropped 57 Tries to detect virtualization through RDTSC time measurements 10->57 59 Injects a PE file into a foreign processes 10->59 14 Wq9FLAFuS8.exe 10->14         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 17 raserver.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 37 Self deletion via cmd delete 17->37 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Tries to detect virtualization through RDTSC time measurements 17->43 23 cmd.exe 1 17->23         started        31 ildomains.cashcow.co.il 20.56.187.216, 49814, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->31 33 encircled-citadel-imoww28dd8tfj1bfgusd45vj.herokudns.com 54.91.6.89, 49806, 80 AMAZON-AESUS United States 20->33 35 6 other IPs or domains 20->35 45 System process connects to network (likely due to code injection or exploit) 20->45 47 Performs DNS queries to domains with low reputation 20->47 signatures11 process12 process13 25 conhost.exe 23->25         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 07:43:08 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02a9e7458836d89cc02de2333176fcfdc9e462535e73e5b032f13e604b831b72
Formbook
030d67d113b2193c850c7ac4d993c571b478ce61d12b892a8feecc2938775d91
Formbook
5c6bb4be3e5abfc077f779645b07502ad3f9357fa3c486db79d0a2fb4f470527
Formbook
64e3a0f2298f21833eb7a9c51aa0b2b8d3354bdcefb0156bb34371e3163d8b3d
Formbook
aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c
Formbook
b207cf6e0fe84692f4311e2768d913bae8005da5f7ed4cf1cee2459a6f62faa9
Formbook
b3bc74c1f3673da08a95775af5f39dd116a249d8a7e597fcd8bb56e07ae3bcd2
Formbook
c1426732f06b03f0d2f0b2afd275bcd17ceb24d16174db630e10fab4fee09f04
Formbook
c53c1098e4621c2258d13bd6c36d95493343129c5846f6c0ca07c12565da843d
Formbook
ea12191fcd49d36b68be2c466a24cac87cfd79f9d1fb18ef252037f0fb976979
Formbook
+ 10'817 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:mwev loader rat
Link:
https://tria.ge/reports/211026-qkhx6sheh5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.scion-go-getter.com/mwev/
Unpacked files
SH256 hash:
a5c2baaf64d2f20666f5d02876e9f5b59d8ec5c538ee82f1711d9d0db3f189e0
MD5 hash:
8ecd3b39d0778503439b9e9dd0475b2d
SHA1 hash:
249f0f11920286ba191592bfaf13a2c0d7cc7ca6
Link:
https://www.unpac.me/results/2304ca23-cc61-4d31-b1f3-3de703d2d792/
SH256 hash:
e6c649829a73832c81df21456041e3f9e4a0f5da4b07fb0813f72585a7c3adab
MD5 hash:
cd33a36a3cb4da2d8478569a1b193487
SHA1 hash:
5b7ca161e768d2191872e647a53ac087772953cd
Link:
https://www.unpac.me/results/2304ca23-cc61-4d31-b1f3-3de703d2d792/
SH256 hash:
0c11575232a84acd1d6d0b4fe8f9b6009cbaca05245212d909225604ea98c951
MD5 hash:
5601213aece87a7070bd0a1a420b69e4
SHA1 hash:
6d3d6dfa1b04fcf41f2c685b99366a228dcd86a5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2304ca23-cc61-4d31-b1f3-3de703d2d792/
Parent samples :
fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e
92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8
99889ef9126eddb7fee40e181c9832c734f8cef74736e2c577438300b468751c
945e623b814b647326ed96bc5be37010053fdc50f9dce11d96e408c22a8afd4a
7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa
cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6
06590d9c81caf0a4855c2a31c7bbe55a4646ffcb24cb165278e0495b3cf8a250
32121f53dac2e51662a709562a1247db9ff6a76ed8a5efd68492f28b9a25370e
SH256 hash:
fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e
MD5 hash:
980c080857ff5a30b52a62d8649042da
SHA1 hash:
526b740fdf0c8d3d16de1cbe6fc687719a6c2814
Link:
https://www.unpac.me/results/2304ca23-cc61-4d31-b1f3-3de703d2d792/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1715582/
Cape
Cape
https://www.capesandbox.com/analysis/200243/

Comments


Avatar
zbet commented on 2021-10-26 13:18:52 UTC

url : hxxp://198.46.199.161/0010/vbc.exe