MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe208b7ee1a6c57548a9c39f76fe674ac9e7a0130f88242269b4a102969cd6fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe208b7ee1a6c57548a9c39f76fe674ac9e7a0130f88242269b4a102969cd6fd
SHA3-384 hash: fa707349beefffa2e07a5866694173f7ab84881e1b30d4c246e1da05a4e64852d98996895dd06e7f93ee7c47544a3df7
SHA1 hash: 1c33cb9cfa88b3ebfdddd365316419b08cbdd75b
MD5 hash: e2c8c5cd1683dcfa47f0ba6a15913847
humanhash: tennis-blue-burger-hotel
File name:06-10-22.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:193'536 bytes
First seen:2022-06-10 04:33:45 UTC
Last seen:2022-06-10 06:17:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'250 x SnakeKeylogger)
ssdeep 3072:dsSALppRZwFiyc594RWDZ7E0e4Oum0at:dsSg/isyc594RWDZZbOum0
Threatray 130 similar samples on MalwareBazaar
TLSH T10914D902338881E9D42B077AA6CE4AB5E1294C173C75FC1F75353EA767B0AC845E6DAC
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e0f0f0d4f4f092cc (12 x AgentTesla, 3 x Formbook, 3 x SnakeKeylogger)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06-10-22.exe
Verdict:
No threats detected
Analysis date:
2022-06-10 04:35:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03e1abc2-b40e-43d5-85e0-8d2905884524

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278547/
Detection(s):
SecuriteInfo.com.TrojanDownloader.MSIL.NanoCore.A.MTB.30501.19177.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Searching for synchronization primitives
Launching the process to change network settings
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a2c9f8af217491b52ae84c/reports/78546198-06c3-4201-847f-0444f221a8e1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6c162da-538f-41b0-ad65-cdb21e242519
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1010597
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 643093 Sample: 06-10-22.exe Startdate: 10/06/2022 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 7 other signatures 2->84 10 06-10-22.exe 16 7 2->10         started        14 Zueezkfxr.exe 14 4 2->14         started        process3 dnsIp4 68 mickey51.com 43.242.128.230, 49739, 49756, 49757 SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK Hong Kong 10->68 60 C:\Users\user\AppData\...\Zueezkfxr.exe, PE32 10->60 dropped 62 C:\Users\...\Zueezkfxr.exe:Zone.Identifier, ASCII 10->62 dropped 64 C:\Users\user\AppData\...\06-10-22.exe.log, ASCII 10->64 dropped 17 InstallUtil.exe 10->17         started        20 cmd.exe 1 10->20         started        90 Multi AV Scanner detection for dropped file 14->90 92 Machine Learning detection for dropped file 14->92 22 InstallUtil.exe 14->22         started        24 cmd.exe 1 14->24         started        file5 signatures6 process7 signatures8 70 Modifies the context of a thread in another process (thread injection) 17->70 72 Maps a DLL or memory area into another process 17->72 74 Sample uses process hollowing technique 17->74 76 2 other signatures 17->76 26 explorer.exe 17->26 injected 29 conhost.exe 20->29         started        31 timeout.exe 1 20->31         started        33 conhost.exe 24->33         started        35 timeout.exe 1 24->35         started        process9 signatures10 88 Uses netsh to modify the Windows network and firewall settings 26->88 37 Zueezkfxr.exe 3 26->37         started        40 colorcpl.exe 26->40         started        43 netsh.exe 26->43         started        45 2 other processes 26->45 process11 dnsIp12 66 mickey51.com 37->66 47 InstallUtil.exe 37->47         started        50 cmd.exe 1 37->50         started        86 Tries to detect virtualization through RDTSC time measurements 40->86 52 cmd.exe 40->52         started        signatures13 process14 signatures15 94 Modifies the context of a thread in another process (thread injection) 47->94 96 Maps a DLL or memory area into another process 47->96 98 Sample uses process hollowing technique 47->98 54 conhost.exe 50->54         started        56 timeout.exe 1 50->56         started        58 conhost.exe 52->58         started        process16
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe208b7ee1a6c57548a9c39f76fe674ac9e7a0130f88242269b4a102969cd6fd/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2022-06-10 03:24:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7yqiw7xbu3cxksfjyopxn7thjle6piatb6eciitjwsqqffu4236q._file
Verdict:
unknown
Similar samples:
1d19970cc9dbb2fbab3acafb0fb2d5988be9be0f10e975960668b44f34cbe152
Formbook
27e1cf8e4ebd48d83db12b2b09043e5be2d8d5785cdfecd0027b53f6f41efd00
Formbook
3c5760b7a81ad1c6624c2ca1abe3a7e68c32f22b0e3bace1a06db8c5477907fd
Formbook
48bc7d857e4ba3e1945c01521208ae667a9bfd8d091efa22d25cfb853bc0001a
Formbook
9a6542e7da5c82465fd053f020d82161a8995c3353b58ac9b3e085d70d9ecf8d
Formbook
d6f0adc68939dadf1673789efc9578fa08958bd6b5f20233a0d92cf12043c4ee
Formbook
dabeda023e0d39ee7704b9bd9f18553964976d604109147508349f00cec82d19
Formbook
eade330b178b86366b371786fd358a905e3051a3653b134db0fe4ae9c8dfa676
Formbook
ec6fd6f131a72a7e86063ebca1078f7063cf3abfdf467c94961aee89789615be
Formbook
+ 120 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fs44 persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220610-e66etacac6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
fe208b7ee1a6c57548a9c39f76fe674ac9e7a0130f88242269b4a102969cd6fd
MD5 hash:
e2c8c5cd1683dcfa47f0ba6a15913847
SHA1 hash:
1c33cb9cfa88b3ebfdddd365316419b08cbdd75b
Link:
https://www.unpac.me/results/7c2e1403-5815-4b0f-af51-0553d6011cc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fe208b7ee1a6c57548a9c39f76fe674ac9e7a0130f88242269b4a102969cd6fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 6fe3d4977127b286b44f111d1048b19ae3bd4016d53af1ba2c488c4751f45eb0

Formbook

Executable exe fe208b7ee1a6c57548a9c39f76fe674ac9e7a0130f88242269b4a102969cd6fd

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6fe3d4977127b286b44f111d1048b19ae3bd4016d53af1ba2c488c4751f45eb0
Cape
Cape
https://www.capesandbox.com/analysis/278547/
  
Dropped by
MD5 43ca77eb4fb2baabb5a2706c111bd3e6

Comments