MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fce51b6f1f69629c651dfaedbcdcb55d25da39e8184614c1cb26e4c247f6d3ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fce51b6f1f69629c651dfaedbcdcb55d25da39e8184614c1cb26e4c247f6d3ac
SHA3-384 hash: c895aaf207bde565608e85ec18bdb5662c5f6fc5dccab708f3024d61934aa33289859d4d741459d7106b8278056e797e
SHA1 hash: 88e1790ac5776b63e9816d9e4e01fe58a0c5efe5
MD5 hash: d983862e8297f970c50c51c88e31e708
humanhash: uncle-uniform-orange-angel
File name:28TE0zVuMKbx21I.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:980'480 bytes
First seen:2022-03-23 13:11:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:kt8LFNtY1RMm3FweiiQ0/6SCZxXNCGMurUDXHA1ZysYIez:6ie9ccCZ1uD3aZyj
TLSH T1F725238D13D5A312CABC17BDD6A49E121E72576E6103EF0C8F5621E42D633F1CB2199B
File icon (PE):PE icon
dhash icon dadadadaa6a6a6a6 (12 x Formbook, 8 x AgentTesla, 5 x SnakeKeylogger)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
28TE0zVuMKbx21I.exe
Verdict:
Malicious activity
Analysis date:
2022-03-23 13:10:55 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/dcdcc360-7901-43d6-9488-151fa04deeca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/256640/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1262.13185.27333.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963351
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595830 Sample: 28TE0zVuMKbx21I.exe Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for URL or domain 2->33 35 6 other signatures 2->35 10 28TE0zVuMKbx21I.exe 3 2->10         started        process3 file4 27 C:\Users\user\...\28TE0zVuMKbx21I.exe.log, ASCII 10->27 dropped 13 MSBuild.exe 10->13         started        process5 signatures6 43 Modifies the context of a thread in another process (thread injection) 13->43 45 Maps a DLL or memory area into another process 13->45 47 Sample uses process hollowing technique 13->47 49 2 other signatures 13->49 16 explorer.exe 13->16 injected process7 process8 18 systray.exe 16->18         started        signatures9 37 Modifies the context of a thread in another process (thread injection) 18->37 39 Maps a DLL or memory area into another process 18->39 41 Tries to detect virtualization through RDTSC time measurements 18->41 21 cmd.exe 1 18->21         started        23 explorer.exe 111 18->23         started        process10 process11 25 conhost.exe 21->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fce51b6f1f69629c651dfaedbcdcb55d25da39e8184614c1cb26e4c247f6d3ac/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 13:12:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tsrw3y7nfrjyzi57lw3zxfvlus5uopidbdbjqole3smer7w2owa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p89m loader rat
Link:
https://tria.ge/reports/220323-qfjc5segd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
cc80971fd2baed32550474d4367c6d939d0c287eced9b5f8761eca43d5b3a66d
MD5 hash:
56f4744255fb331db5e15b56c98fe3a8
SHA1 hash:
855240f8a60cb4b99b12da7a4fbc753f04b48fd4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/df122463-7558-431c-ac94-bb37e5130351/
Parent samples :
b1fdff098dabc1d5beb91484f6f82637f359cb0f7fb4764b282c299c2d341ffa
fce51b6f1f69629c651dfaedbcdcb55d25da39e8184614c1cb26e4c247f6d3ac
d6ee29c576a6f06612430d000f2f72fd64df7763a982acf42e72f4bcd4665c3a
0caa4913b91c7894d7838ff8cafb102f0b66efe4e587cc812e272ac2b01d2c4d
599be6a84953ba867aeb689c7ed72490de7c3e9abfa864846fe926f9f1a04bfb
0dbf45f302917167c793be3d65d903505cf00cc18c8fa417ff84edd6df162cff
SH256 hash:
9533464ca16e08f615db789ab1357b2b0572e84da545ea52a428db949451174f
MD5 hash:
2eb6695649e6dcf2ec503445dd02698c
SHA1 hash:
dda9934559939c05b29db21397aa3c8b65e17428
Link:
https://www.unpac.me/results/df122463-7558-431c-ac94-bb37e5130351/
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/df122463-7558-431c-ac94-bb37e5130351/
SH256 hash:
98c62a81732896e6d1718dc479792fd057e9e2e8b1c46b3db6d9ef15f7b4fb0d
MD5 hash:
5de2ec83c6da7af3250f3fa974cf89c9
SHA1 hash:
247f31145105cdbd8537ea3d91fe81bd47544730
Link:
https://www.unpac.me/results/df122463-7558-431c-ac94-bb37e5130351/
SH256 hash:
fce51b6f1f69629c651dfaedbcdcb55d25da39e8184614c1cb26e4c247f6d3ac
MD5 hash:
d983862e8297f970c50c51c88e31e708
SHA1 hash:
88e1790ac5776b63e9816d9e4e01fe58a0c5efe5
Link:
https://www.unpac.me/results/df122463-7558-431c-ac94-bb37e5130351/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/fce51b6f1f69629c651dfaedbcdcb55d25da39e8184614c1cb26e4c247f6d3ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/256640/

Comments