MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad
SHA3-384 hash:	49986c98f51a05daa342eeab5c5611f35eaefa16cb7a7851a3ad3e6c049e5bc545ac07579d6a61a370f8ac509ea76ce9
SHA1 hash:	2e586f8db46953532b5e25e07add4dbaeea83a79
MD5 hash:	6878e9896fdd84dcc11c997c9b7330ba
humanhash:	oregon-two-three-romeo
File name:	NEW ORDER.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	547'840 bytes
First seen:	2022-03-01 10:09:12 UTC
Last seen:	2022-03-01 17:17:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:m5qaxzGRUcZ64JcRm00dTWE88Dje2Ur9o6xJptIpiicMINOBx4D:EcUDRmZdTB88XMq0tDHBMBx4D
Threatray	13'686 similar samples on MalwareBazaar
TLSH	T104C4D04B3A355BE6C93D97346421160CCFF6E9A2C31EF26D7CC6B5C900B1B078A26A17
Reporter	GovCERT_CH
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/245704/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.42655.5224.27425.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Searching for synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/621df100b94fb38cb42d5247/reports/5fd4426b-cae1-49bb-97f8-f28e3e715435/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21bb4767-11e5-4813-b6ae-29be7d806095

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/948029

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-01 01:22:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aabh2ejqtvktckxhp4znjltzm4ojd5kb4v33vtt2ljnl3ycvmowq._file

Verdict:

malicious

Label(s):

formbook

Formbook

13641ea4fdda43b2a6ffda4fab498971e24d0ae9b594de32f8c9dc7adc36a291

Formbook

2b8099c7609f56157c7d2cb7e1da50b2ff85edb62e7599ca995a691b458ceb31

Formbook

31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a

Formbook

41baa5cad8fb3ecbaa97116421042ba41a024823638e9b7608c5ac2e2a339525

Formbook

502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2

Formbook

75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5

Formbook

8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a

Formbook

9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a

Formbook

f725b6a2466a6f4c7084eeab5994e30b8ef836633c1a84d85c1899deb1808d3c

Formbook

+ 13'676 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:sued loader rat suricata

Link:

https://tria.ge/reports/220301-l7dvhsbbek/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Blocklisted process makes network request

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

a41a4410fcd97b74ff170c987ba9600d76b217ca90833d7e4d1ad69cae514d92

MD5 hash:

75d7a79c712fe0b2b6b5ccc842b2b858

SHA1 hash:

cf9e8feef4effcf93c63087ed21b115be8c4ef79

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/90dca3ca-b221-4293-a424-fe7e7d8625b7/

Parent samples :

952fbe116a1aac4f0082519a0dc920ee5dc48e58fe85abcc27b82ecc0ac4e54f
07ea6a87a1ac2a5363e7756a8994f7ed8b971b94cef918803ab3b6dbe9e6b845
13641ea4fdda43b2a6ffda4fab498971e24d0ae9b594de32f8c9dc7adc36a291
00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad
a97609f1fba62176ab743d20619f5dc76e660c19fe1640620fa71be956073642
9841e5cc12d3619ffd5acb390632a01d7cc447af772967cde621d8cd4d7ffbe6
14814de29a97d78c562d283a935b231c5f1743e51eba50c5803c38d9a30902b9
d9840f509c83b94daf1538a67e42bed08eb5578d16a82130f9bb4c0021682b43
a10514b9a622369f9e922896ec542e856068d2a4a10bc8808436bfd88a2e44f2
687269adbd2c39527574f47f87e641e50e1b0f76a7595e16da138ddb23934a1f
1afe58e06e1d4d066bb91b814d50e47351bdbc8a8d02b08a0e7b7f2b9126d796
11011a715ef9903ff51404d2ed9e5690db9e44ee62633a4a620fa456111c7c35
b1b046f894481455910ad97525d296af183dbda7cfbefdec87afbc05bfc4683c
085110f2c00a416220b4430ff77cb8169f85db7d282f330db50d4831506e82e5
65e4e564b8d0f3b181058ed54bac710b63862b172362c0c7fabb4750a80ffe97
4eac3744a1240baa0ba6a519876425b8c52ddaefcb6e65afe077d71b1393ae52

SH256 hash:

ea9b5f5e10d1a1c24cb255425dd84bcd9e430048980fdd6d820e528257813d8f

MD5 hash:

cf203def0067d1270c3fa327758afd7f

SHA1 hash:

ebc4312334f5cee4b5b3d79da5fbb5bb05ebeb13

Link:

https://www.unpac.me/results/90dca3ca-b221-4293-a424-fe7e7d8625b7/

SH256 hash:

79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696

MD5 hash:

39f524c1ab0eb76dfd79b2852e5e8c39

SHA1 hash:

428018e1701006744e34480b0029982a76d8a57d

Link:

https://www.unpac.me/results/90dca3ca-b221-4293-a424-fe7e7d8625b7/

SH256 hash:

00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad

MD5 hash:

6878e9896fdd84dcc11c997c9b7330ba

SHA1 hash:

2e586f8db46953532b5e25e07add4dbaeea83a79

Link:

https://www.unpac.me/results/90dca3ca-b221-4293-a424-fe7e7d8625b7/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/00027d11309d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad

(this sample)

Dropped by

xloader

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/245704/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample