MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdd0267b7a2fc993e613cd13de583f4c257467338134d5323ce49c0ad0f02fb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdd0267b7a2fc993e613cd13de583f4c257467338134d5323ce49c0ad0f02fb6
SHA3-384 hash: fd9f0e84cb21e8b05a823a408206cd8d8e6952754ee5b802548f508b9520448aefa15df720e654b0464ceaf2fa2cf2fd
SHA1 hash: e501beb40456f7213f9bb2b6cecaefd7aaf7100d
MD5 hash: f94b7b97c25c3cba54e881caa18eaeb9
humanhash: magazine-thirteen-grey-winter
File name:f94b7b97c25c3cba54e881caa18eaeb9
Download: download sample
Signature Formbook
Create hunting rule
File size:956'928 bytes
First seen:2021-06-28 12:30:56 UTC
Last seen:2021-06-28 13:34:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:oRpwuo3JbGgsD0C6jpHSgmZ9rUEok2+LA8lX2HkbMUTmVwQMhI2ZU:2gKGhZSlZWX2H9TU
Threatray 6'079 similar samples on MalwareBazaar
TLSH C515BE207AE95126E5B65F7D49B0704156BDFE622F17C87D28B132C91733A82CAB133E
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f94b7b97c25c3cba54e881caa18eaeb9
Verdict:
Malicious activity
Analysis date:
2021-06-28 12:32:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb821b5e-e697-4703-9919-6e1f46bdf410

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168583/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.889.9423.16001.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8640dac-4f66-4298-950c-248a98d915bb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808814
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 441225 Sample: JYHtfExdx6 Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 37 www.56duorou.com 2->37 39 www.tahdahhh.com 2->39 41 2 other IPs or domains 2->41 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 67 7 other signatures 2->67 9 JYHtfExdx6.exe 7 2->9         started        13 explorer.exe 2->13         started        signatures3 65 System process connects to network (likely due to code injection or exploit) 37->65 process4 dnsIp5 29 C:\Users\user\AppData\...\TmvNxVFtdv.exe, PE32 9->29 dropped 31 C:\Users\...\TmvNxVFtdv.exe:Zone.Identifier, ASCII 9->31 dropped 33 C:\Users\user\AppData\Local\...\tmp593D.tmp, XML 9->33 dropped 35 C:\Users\user\AppData\...\JYHtfExdx6.exe.log, ASCII 9->35 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 9->69 71 Tries to detect virtualization through RDTSC time measurements 9->71 73 Injects a PE file into a foreign processes 9->73 16 JYHtfExdx6.exe 9->16         started        19 schtasks.exe 1 9->19         started        43 www.tintuconline24h.net 107.163.42.254, 49745, 80 TAKE2US United States 13->43 45 standakcompagnie.com 91.234.195.123, 49746, 80 RMI-FITECHFR France 13->45 47 10 other IPs or domains 13->47 75 System process connects to network (likely due to code injection or exploit) 13->75 21 help.exe 13->21         started        file6 signatures7 process8 signatures9 49 Modifies the context of a thread in another process (thread injection) 16->49 51 Maps a DLL or memory area into another process 16->51 53 Sample uses process hollowing technique 16->53 55 Queues an APC in another process (thread injection) 16->55 23 conhost.exe 19->23         started        57 Tries to detect virtualization through RDTSC time measurements 21->57 25 cmd.exe 1 21->25         started        process10 process11 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fdd0267b7a2fc993e613cd13de583f4c257467338134d5323ce49c0ad0f02fb6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 12:31:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28eb771845a5d55d5b5549cbc0b8b45fcc928e3e2e18013d7e3c84c592f86578
Formbook
3acd86ada75ac819a4374720b7e4dfbf270974237f9e7794c7cc51d510a9bff9
Formbook
5ec36ac5ba843f29bb0dc75d7d527ab9cee34a681bad704a89fd5ed12cdea337
Formbook
68fa77befde4e147cc7bc2fb142306a94245adb49c4ccca175f12f29414ce3d1
Formbook
6a37a2a65393b805bbe4e7e4e42b642da433e9caa7436aaeb9df8ab0fc6679b9
Formbook
7bcbf4813256ce1a199f54f824f5e337a6ab4709287dcfa78f0cb24392e735a9
Formbook
a4ed754c1a38fd8fc24bb4ec7f5da899c254df070bcc8cfd7b16778701c4b72d
Formbook
b9dbb2677a8f3458f8d18b61f12be090a7d6e9460f1e8ec423bd5dea483e1459
Formbook
d3501787751324e615bd13ed80417360fbd7558385662ac34c51b34802f9b9d4
Formbook
da9e3cdd0874cc1e8fcd3ed354cfb48d39f0b2ec7b0b4334ea85d7da7aa32f7c
Formbook
+ 6'069 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210628-w3fhk3f7qe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.camprosolutions.com/ce0a/
Unpacked files
SH256 hash:
bba697b5998cf19ffbb71e1ffa0d84b3b0da51c2007f49068529152575ae96e7
MD5 hash:
a5af98a412e627fceb2050c8aed22b14
SHA1 hash:
b1ed1fa534fecfced17628e416d7524c1347eaee
Link:
https://www.unpac.me/results/8b915dde-741a-43a6-9fe3-f640e039a387/
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/8b915dde-741a-43a6-9fe3-f640e039a387/
SH256 hash:
9e9d4417f13a5837e85aaa4a20d820f68d65c168932cbed7e148dcddcf9d87b2
MD5 hash:
7a118bbb2b5427da628c5e7aa32953c0
SHA1 hash:
5e5a06b1f9762c4b6b9ae7992aaf7329265605ee
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8b915dde-741a-43a6-9fe3-f640e039a387/
Parent samples :
fdd0267b7a2fc993e613cd13de583f4c257467338134d5323ce49c0ad0f02fb6
0ca2057436fdbfcc1ca65bd6a9742a7f810c06f3e4e382d8306c4ef96da5a42c
SH256 hash:
fdd0267b7a2fc993e613cd13de583f4c257467338134d5323ce49c0ad0f02fb6
MD5 hash:
f94b7b97c25c3cba54e881caa18eaeb9
SHA1 hash:
e501beb40456f7213f9bb2b6cecaefd7aaf7100d
Link:
https://www.unpac.me/results/8b915dde-741a-43a6-9fe3-f640e039a387/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/fdd0267b7a2fc993e613cd13de583f4c257467338134d5323ce49c0ad0f02fb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe fdd0267b7a2fc993e613cd13de583f4c257467338134d5323ce49c0ad0f02fb6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1407083/
Cape
Cape
https://www.capesandbox.com/analysis/168583/

Comments