MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 002c9ae4f54d44fc45770610fa4862ee1ce47c2bb81c96555c1e10bd8523eca2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 002c9ae4f54d44fc45770610fa4862ee1ce47c2bb81c96555c1e10bd8523eca2
SHA3-384 hash: c3c7213edbb762988f46f49551bdfa8ff45136b7f99d10d283f65fa5a34bfb77c1b1dc76b5135ed584fdbc9443ec5a61
SHA1 hash: 0e5eaa1a4cc6ce8730043a3bfeacfa395ff923dd
MD5 hash: 7627eec33a15a9ae89fec4c856aac551
humanhash: gee-bravo-six-april
File name:setup.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:599'552 bytes
First seen:2024-07-29 22:56:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:fT+IMW9NnB6+a35g4ODvh3+Gl+0gbdQxlRaLZTSsZI:CPcBQ5xK9zMd2l8LZhZI
Threatray 753 similar samples on MalwareBazaar
TLSH T1D5D4291B2B3C5DB7D521F3BE899BE315E69A02C4F5A6C3C9AC303926D8D07875E429D0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1269495149c928d0 (1 x Formbook)
Reporter Chainskilabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2024-07-29 22:58:00 UTC
Tags:
evasion telegram xworm
Link:
https://app.any.run/tasks/15fe158d-0009-48df-aa62-48a670ce995a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a81e059d47c7700ac5ed6b
Tags:
Discovery Execution Network Stealth Trojan Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a process with a hidden window
Launching a process
Creating a window
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat packed vbnet
Link:
https://www.filescan.io/uploads/66a81e03dfa8b2fced4fd046/reports/5cd24094-2cef-4c8e-b649-1a8cf251feec/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/002c9ae4f54d44fc45770610fa4862ee1ce47c2bb81c96555c1e10bd8523eca2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/333140db-0f44-4d8c-b25b-5e952fd634da
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1484401
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1484401 Sample: setup.exe Startdate: 30/07/2024 Architecture: WINDOWS Score: 100 57 api.telegram.org 2->57 59 time.windows.com 2->59 61 2 other IPs or domains 2->61 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 77 19 other signatures 2->77 9 setup.exe 4 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 signatures3 75 Uses the Telegram API (likely for C&C communication) 57->75 process4 file5 53 C:\Users\user\AppData\Roaming\XClient.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\...\setup.exe.log, CSV 9->55 dropped 19 XClient.exe 15 6 9->19         started        24 cmd.exe 1 9->24         started        87 Antivirus detection for dropped file 12->87 89 Multi AV Scanner detection for dropped file 12->89 91 Machine Learning detection for dropped file 12->91 93 Changes security center settings (notifications, updates, antivirus, firewall) 15->93 26 MpCmdRun.exe 15->26         started        95 Query firmware table information (likely to detect VMs) 17->95 signatures6 process7 dnsIp8 63 ip-api.com 208.95.112.1, 49700, 80 TUT-ASUS United States 19->63 65 api.telegram.org 149.154.167.220, 443, 49707 TELEGRAMRU United Kingdom 19->65 67 easy-results.gl.at.ply.gg 147.185.221.20, 49708, 49710, 49711 SALSGIVERUS United States 19->67 51 C:\Users\user\AppData\Local\svchost.exe, PE32 19->51 dropped 79 Antivirus detection for dropped file 19->79 81 Multi AV Scanner detection for dropped file 19->81 83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->83 85 8 other signatures 19->85 28 powershell.exe 23 19->28         started        31 powershell.exe 19->31         started        33 powershell.exe 19->33         started        39 2 other processes 19->39 35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        file9 signatures10 process11 signatures12 97 Loading BitLocker PowerShell Module 28->97 41 conhost.exe 28->41         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/002c9ae4f54d44fc45770610fa4862ee1ce47c2bb81c96555c1e10bd8523eca2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/002c9ae4f54d44fc45770610fa4862ee1ce47c2bb81c96555c1e10bd8523eca2/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 14:53:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aawjvzhvjvcpyrlxayipusdc5yooi7blxaojmvk4dyil3bjd5sra._file
Verdict:
malicious
Similar samples:
2e2be20ac0c61653de9551407e30a57d8f7bce1fd1146e0a5cb6ec4ba599696b
Formbook
4eedc7ed6ade620eef8eb160d18518afc9c59eb262baf8a9fdbe758fb611b6f0
Formbook
77a7db0fbc13dea55b22b02fec1df3a7000f1850a92bc6d251def80526b8b1d6
Formbook
a0bcad23f8cd5357b031ec1bda2949166df60bba7b0acc6f83c81167b44eefb0
Formbook
aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28
Formbook
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
Formbook
+ 743 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/240729-2wntcavcqn/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
easy-results.gl.at.ply.gg:52467
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fcf6d83f-41e4-49b7-ada5-5e541ae869a0
Unpacked files
SH256 hash:
a84bedfd5efb57a4a543efe419fdb4d870b10c3f5d9d5ee59f56e606ffef5d2f
MD5 hash:
cbc0498b57e4b1f66766461d15e0aace
SHA1 hash:
367dc1c05b69b77954ae5b98f0a19d64c14c0841
Detections:
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/8400a0b7-6abd-4a1c-831b-ff1653b8eeba/
SH256 hash:
002c9ae4f54d44fc45770610fa4862ee1ce47c2bb81c96555c1e10bd8523eca2
MD5 hash:
7627eec33a15a9ae89fec4c856aac551
SHA1 hash:
0e5eaa1a4cc6ce8730043a3bfeacfa395ff923dd
Link:
https://www.unpac.me/results/8400a0b7-6abd-4a1c-831b-ff1653b8eeba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/002c9ae4f54d44fc45770610fa4862ee1ce47c2bb81c96555c1e10bd8523eca2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments