MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe17721930d311edb152dc90a891ae82cc45997b54ec77894f765d5efe259903. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments 1

SHA256 hash:	fe17721930d311edb152dc90a891ae82cc45997b54ec77894f765d5efe259903
SHA3-384 hash:	b98a370058676c638baf954ddb705cb9321df7fbe562c7657d79fe750fad6853c4ff1cd300a33b4174ac0e10d4aa1b76
SHA1 hash:	7c48c3f1d13d5776ac8f492450fbfc5ed2f055ac
MD5 hash:	7a29daa31a1ce60f705519b9e1b8648c
humanhash:	nitrogen-robert-crazy-lithium
File name:	7a29daa31a1ce60f705519b9e1b8648c
Download:	download sample
Signature	Formbook Create hunting rule
File size:	424'448 bytes
First seen:	2021-10-03 07:24:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:kfcPxXO/lGq3gU7aKtTowcrdoAACMJxyddOdWLQ8hFLrs/ilnDq1gSbWlMPVEnsq:k8PiXtTo9r2AeWQyXlDq1FGMPVEn5Pz
Threatray	9'842 similar samples on MalwareBazaar
TLSH	T161940274236F075BDD39C3F8A86145C26BF6A126181AF3749DC9B4EA25A73384EE0D07
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7a29daa31a1ce60f705519b9e1b8648c

Verdict:

Malicious activity

Analysis date:

2021-10-03 07:59:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3df3e5ba-1cee-4608-b7d0-76d39078b11b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194306/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1068-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615c2eb2e3d213d202b77370/reports/53340018-6f9c-490d-9e1f-7991628bef7c/overview

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7738cc58-bf7e-4f47-b07b-c3ba5366a340

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/863363

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/fe17721930d311edb152dc90a891ae82cc45997b54ec77894f765d5efe259903/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-10-03 07:25:10 UTC

AV detection:

12 of 45 (26.67%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1

Formbook

2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023

Formbook

326a1e669385d8e241375e9eca9f915440f1d0d3f803e6d1648f30102cbedaa6

Formbook

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

Formbook

84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d

Formbook

984dec79b881adf59d5308f52fddeda0fbccbd917b750f6ec9a5be1a1a4dc0fa

Formbook

a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a

Formbook

cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a

Formbook

d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2

Formbook

+ 9'832 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:ef6c loader rat

Link:

https://tria.ge/reports/211003-h8zxlafbhm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.fis.photos/ef6c/

Unpacked files

SH256 hash:

9591b2ccff5084a8ed9904c240d16e7b4d6d33ca130581fd7e77ba78fb8dacb4

MD5 hash:

4e87b7aff5127f0d2e566c409e328359

SHA1 hash:

e25ca913e05c7d36898b9a329d1d7598a116e4c0

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/9a686e75-f6a7-4380-8a16-7ebc59bf551a/

Parent samples :

fe17721930d311edb152dc90a891ae82cc45997b54ec77894f765d5efe259903
3030cdabe4d1c1f0e6c32acf90cac76165ef0dcf64ad6914077743c2a4002c7c
500e8204e8284a6dbba99d308907c69f9fc5f0135ebd8d41a60d9f02c1076d0b
1f651f590aaf7682d6b480e690099b4115d91f5a260c961ecc6030b2c280708a
bc4d625ec4ba48b9c17bcd907fe509539a12bb0d6103ff65a4e3c59fb4eca07c
46fa7e230e5d8398c15c24dd78906dcf50da9bb1d2cfd8682ad7f2f80819a3a8
02a9e7458836d89cc02de2333176fcfdc9e462535e73e5b032f13e604b831b72
04bbe124df4181232c007b8ed75964eb1823428f7163b636b18597bfc6f80bfc
758acf61b0f5ffe96a2ea2b6a946e32699e0e326fcc4f58596addb7c1784115c
0925611227bd789da9fe684970971f3b97b477cbb5ea4066264db719bb7202b7
55e2d86056c608b484d033235e50a8f13211193a073d6f79c51bab075c4e7506
e1010d989d5412e83aaf07bf794a76257b1a43bcec34dd8c05280cb97c61e3ec
0fdf7d71205b22f118f035eadd183c769c80cd916e41228252494ce59658aad6
96c57ae661562e958e01bb0b490c09a0a51bb367931620223174963de88bdfcb
a63e0773595f36b7ada59361abb3b0df6bf684188170da64325f7224265ecc62
5a1261b8c98d7ec6edfe8e470f857336557c6ed317822117dece6012306f170d
4b3af4ebfe94ecb1730c15620080935f619b6592fad681921968f986c030c0c3
e4a4e1f73cbbd5667b5264b48bc7429ea638532d08e78d53b86b86c0fa5b291b
777c86a17146921e06f4ac7ab01da50e0e3fa657160bcd49e8c99c63f3bf4de4
0c9257ae6c84763746b188ff4d2dc58d040b32f8ab54e9466137312c8e0cc92b
10a96288de8785786b009b94ee858093999c9b690991474b95455192b7622e0b
bbb043c99649e90f8e609d3e1159c20a75f2f41b259f9a51d9f105157e7284ca
ceb71d4b372e1a7b2a14d70c5032553454cd1712c0fe8d6dc0d3bba2cb5ed56c
e65d1335f3495f7d469bea81683253ee0845b3b3980cfaea09c4a7837a6c66eb
f55e37d8505e40b5352a95bd5c391592ca542b842bb937de260bc5826372db34
a3209bf6cfd9b6286923251b6d5da80997c6b3a51ec3bfb922388ee5e8944ec4
e882234db612d0e57bed4b0ae32a2b0dfd70af4721257c5aadb27c9459252a8c
a5980948bb83834c850b21ed35bf1ed3d324b4c85f86b82a4e540aeb399eb1e8
f4d61495086555091ce72a0fdaf2406a0c82b4401ce366eb50ec4d5b5041a795
b9899f8fb99acdf4315b884d1289bab11aa6d7935e3b3d4744898c4aa88f8eaf
869a075f9809475dd6839987e3b1431a1fd437ad7879becd35e4f055b4a7f747
993e2502c86bc87766ee853a75c89ffe6a635383c685b1aea785364b7c101b59
660fe8ad69670eeba2c95a5a011a8bf98b0effb5398cf1ff6c3a8a759a3bc0c8
69713f8848927ec48d76fa26b2c64741b98ecfd7356a023e7bd5f2b193edc480
76d73723ac1e30fad92d7f3fdbb0a87c1d8854ad4e7d3d728805a3f26843085c
e6fc8bbf9d585429d28269af4f4626388f2451f57f714797dcdaee31f0b089f9

SH256 hash:

78205e19b96525f155e9b8c146d6d81c48b53b620a3d4bfbd259f031f53bc4f3

MD5 hash:

191b4ce1538ec3af456b1daccf678824

SHA1 hash:

8dcaa0382c9b9d204e8c8efca3eea8d906883d13

Link:

https://www.unpac.me/results/9a686e75-f6a7-4380-8a16-7ebc59bf551a/

SH256 hash:

45ac68e6e0e1ac87aec25ec94312236f28062ca1b16ec7112973ad3ea227a1ad

MD5 hash:

1c55eb086712a5936bf99285832eb069

SHA1 hash:

8d1cae65a2a1a376f67fbbafae18b9c29693fe71

Link:

https://www.unpac.me/results/9a686e75-f6a7-4380-8a16-7ebc59bf551a/

SH256 hash:

f25803a44f77d9c11829d3494c031e2fd3215c6a51290d975ad90e939db70ba2

MD5 hash:

b9cb4dfb9bac40dfbc65e421fef6540c

SHA1 hash:

5e0479da4ae6d29ecc9c204d1fec1e533b971d63

Link:

https://www.unpac.me/results/9a686e75-f6a7-4380-8a16-7ebc59bf551a/

SH256 hash:

fe17721930d311edb152dc90a891ae82cc45997b54ec77894f765d5efe259903

MD5 hash:

7a29daa31a1ce60f705519b9e1b8648c

SHA1 hash:

7c48c3f1d13d5776ac8f492450fbfc5ed2f055ac

Link:

https://www.unpac.me/results/9a686e75-f6a7-4380-8a16-7ebc59bf551a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/fe17721930d311edb152dc90a891ae82cc45997b54ec77894f765d5efe259903

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe fe17721930d311edb152dc90a891ae82cc45997b54ec77894f765d5efe259903

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/194306/

URLhaus

https://urlhaus.abuse.ch/url/1652503/

URLhaus

https://urlhaus.abuse.ch/url/1652504/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-10-03 07:24:32 UTC

url : hxxp://54.255.220.24/www2/dow.exe