MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd21ea0fe3b13bc6f4173e46304760631907bc61ce3250844f001c60c1011c05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd21ea0fe3b13bc6f4173e46304760631907bc61ce3250844f001c60c1011c05
SHA3-384 hash: 712e1fcf4784bde9235d1ba7defcac6f79b29a5b91912ab881b8b9c48602f1baf2ba3b92b5285e3913aff542c78fc37e
SHA1 hash: 97aa92648f2833b6ea49f19d260e3a06dd42a732
MD5 hash: becabfaf86e4dbfaf6766555c7682596
humanhash: music-violet-venus-vegan
File name:sample catalog_copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:847'518 bytes
First seen:2021-01-28 14:02:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 64 x GuLoader, 54 x Loki)
ssdeep 12288:AtFPyk3GUC5+b5xEBzv6xlIANPqYdWgeV7MzUtVOhpLiDg7P9:EFPYU1olvsIA9VowzlLiq9
Threatray 3'654 similar samples on MalwareBazaar
TLSH AD054603A82C98B2EF39A33E01154DD9A1F41D5C56CDB21A47B8BD3DD97C4225E1FA2E
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sample catalog_copy.exe
Verdict:
Malicious activity
Analysis date:
2021-01-28 14:04:14 UTC
Tags:
autoit trojan formbook stealer
Link:
https://app.any.run/tasks/7837622e-2e3a-4954-8a74-d75ac9941558

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114234/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/592904
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 345495 Sample: sample catalog_copy.exe Startdate: 28/01/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 3 other signatures 2->55 11 sample catalog_copy.exe 12 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\gzqtin.exe, PE32 11->33 dropped 14 gzqtin.exe 1 11->14         started        process5 file6 35 C:\Users\user\AppData\...\705ld0e5oi2s34i.exe, PE32 14->35 dropped 73 Writes to foreign memory regions 14->73 75 Maps a DLL or memory area into another process 14->75 77 Sample uses process hollowing technique 14->77 18 705ld0e5oi2s34i.exe 14->18         started        signatures7 process8 signatures9 57 Multi AV Scanner detection for dropped file 18->57 59 Detected unpacking (changes PE section rights) 18->59 61 Modifies the context of a thread in another process (thread injection) 18->61 63 4 other signatures 18->63 21 explorer.exe 18->21 injected process10 dnsIp11 37 www.tronicsbuyer.com 74.220.199.6, 49754, 80 UNIFIEDLAYER-AS-1US United States 21->37 39 ac500.zfbgelycyf09.com 65.52.161.131, 49745, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->39 41 23 other IPs or domains 21->41 65 System process connects to network (likely due to code injection or exploit) 21->65 25 wlanext.exe 12 21->25         started        signatures12 process13 dnsIp14 43 www.lfmanyan.com 25->43 45 gz01.bch.baidu-itm.com 25->45 47 2 other IPs or domains 25->47 67 Modifies the context of a thread in another process (thread injection) 25->67 69 Maps a DLL or memory area into another process 25->69 71 Tries to detect virtualization through RDTSC time measurements 25->71 29 cmd.exe 1 25->29         started        signatures15 process16 process17 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd21ea0fe3b13bc6f4173e46304760631907bc61ce3250844f001c60c1011c05/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 03:11:07 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uq6ud7dwe54n5axhzddar3ammmqppdbzyzfbbcpaaogbqibdqcq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811
Formbook
238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b
Formbook
3dd09fd4260601900a344471ec20765518599ec29a36bd70ec820ec88ab6543c
Formbook
73872fa96dc607365e450f7dae21085f9091d511fb2a495ae55b2a3e812d9a34
Formbook
767c6a99428699b36e98c7b3444ccf34b4823f5666f42f69fbefbf2d19ab8af9
Formbook
7a847a23a2407172035d5eeb7fe1117c851b2947e133c1ca3a236293e5fc5432
Formbook
a21da47756a5b8a820ac633dcc6902b2ca4b9dd0861741f8f68153e5c436bda5
Formbook
b44eadaf040e35aad4ad48b005fdc9b5551bfc1f8fb2171b472d3706af133536
Formbook
bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b
Formbook
fc06c75c1b3c7a0ffac2a20aaec4abba36a50e1ddc8917efc555a6d4b58daf72
Formbook
+ 3'644 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210128-svpl264896/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.firstbirthdayphotoshoot.com/nu8e/
Unpacked files
SH256 hash:
425d48d260d4a9beb289bec95284070a63523164829b9d032c7d99e83c01af34
MD5 hash:
e26fe8127e530db6e7356a8a644a5bc7
SHA1 hash:
e328a99c3f81f69750afb93f7fc9277a778f40b3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e60319db-508c-4c7d-ad99-219044ffb134/
Parent samples :
73872fa96dc607365e450f7dae21085f9091d511fb2a495ae55b2a3e812d9a34
767c6a99428699b36e98c7b3444ccf34b4823f5666f42f69fbefbf2d19ab8af9
fd21ea0fe3b13bc6f4173e46304760631907bc61ce3250844f001c60c1011c05
eb275e1b98fd92888969871af8e7fca0673da25cb476ac4f77303b4b2d0a98ce
SH256 hash:
8cf5cf0efb072fac79a80001ad1fcaefc548ff159b57534e9f0331c8b1cdb3e2
MD5 hash:
5da5ad17cc53039f55fe216f897ef97f
SHA1 hash:
f563f00d68660dc1b5bcb62987c646be46c06c07
Link:
https://www.unpac.me/results/e60319db-508c-4c7d-ad99-219044ffb134/
SH256 hash:
fd21ea0fe3b13bc6f4173e46304760631907bc61ce3250844f001c60c1011c05
MD5 hash:
becabfaf86e4dbfaf6766555c7682596
SHA1 hash:
97aa92648f2833b6ea49f19d260e3a06dd42a732
Link:
https://www.unpac.me/results/e60319db-508c-4c7d-ad99-219044ffb134/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd21ea0fe3b13bc6f4173e46304760631907bc61ce3250844f001c60c1011c05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114234/

Comments