MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 044ae0d297d6156d51d68de2c94b9ce78b3954a99e374a199c225f2272479d34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 044ae0d297d6156d51d68de2c94b9ce78b3954a99e374a199c225f2272479d34
SHA3-384 hash: 272a0f40b3c902fc51e477c8629aa29cf9f0a52315c54ecbf21b88ac547c51cd9dc06951e2029b90d027a9c16e25e661
SHA1 hash: 9533bfd7ee4bc96ccf74d909d95ed4652501762f
MD5 hash: 3dbb4175ca3b6ed5e7945ce8d0104017
humanhash: finch-bakerloo-quebec-hotel
File name:SecuriteInfo.com.Trojan0056a1fe1.12841.28345
Download: download sample
Signature Formbook
Create hunting rule
File size:402'976 bytes
First seen:2022-07-08 07:34:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:3yP+AKVFb8+v3vlIjhZYqskEF5a/Kobt5W3JNFbm9P2:3yoV9Tv3qNZbe52Kobtc5NFbm9P2
Threatray 17'026 similar samples on MalwareBazaar
TLSH T16C845A8BB64C778ECA1BC97179B41D30A610AF775316C602B4C7EDAC8A6C58F9F141E2
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6ccccc9cc4d8e8f4 (41 x Formbook, 34 x AgentTesla, 3 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan0056a1fe1.12841.28345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed wacatac
Link:
https://www.filescan.io/uploads/62c7de2811764e36f8219efd/reports/8327a0a9-99f6-441c-aeb9-6cc9791e0ca5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fab72171-0a23-4307-8bc5-14acb5a7e9fb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1027025
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected potential unwanted application
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 659520 Sample: SecuriteInfo.com.Trojan0056... Startdate: 08/07/2022 Architecture: WINDOWS Score: 100 32 www.unitech-usa.com 2->32 34 www.uk-dnb.site 2->34 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->48 50 6 other signatures 2->50 11 SecuriteInfo.com.Trojan0056a1fe1.12841.exe 1 2->11         started        signatures3 process4 file5 30 SecuriteInfo.com.T...a1fe1.12841.exe.log, ASCII 11->30 dropped 60 Writes to foreign memory regions 11->60 62 Allocates memory in foreign processes 11->62 64 Injects a PE file into a foreign processes 11->64 66 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->66 15 cvtres.exe 11->15         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 74 2 other signatures 15->74 18 explorer.exe 15->18 injected process9 dnsIp10 36 www.harborretired.com 103.224.212.220, 49857, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->36 38 www.potmedkrosnjami.net 62.109.151.80, 49855, 80 IGNUM-ASCzechRepublicCZ Czech Republic 18->38 40 4 other IPs or domains 18->40 52 System process connects to network (likely due to code injection or exploit) 18->52 22 systray.exe 12 18->22         started        signatures11 process12 dnsIp13 42 www.texasbriflook.com 22->42 54 Modifies the context of a thread in another process (thread injection) 22->54 56 Maps a DLL or memory area into another process 22->56 58 Tries to detect virtualization through RDTSC time measurements 22->58 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/044ae0d297d6156d51d68de2c94b9ce78b3954a99e374a199c225f2272479d34/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-07-08 07:35:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=arfobuux2ykw2uowrxrmss4446ftsvfjty3uugm4ejpse4shtu2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
23d18a124c44e1f80a9eed03f108139f21a9cbfe060b36211bf21c6cf7213a16
Formbook
5fd380b77aed19d5086ee0c5afb1a717b0901bcf456ef658c0381107e47f17a1
Formbook
7fd0e394a9d74592a74d04b3dccf2dcf8457d0e894cadadbf999c327e9b3940e
Formbook
a4f0b7a84a51c84c7d78a43964d2238e9c891f104ef69122c8f07dcdc3d7d8ef
Formbook
a9aa59bed8eb3e4839b215c072549c359c3867b238e65c4bf98a5f274d2808bb
Formbook
b789d4ddcafc503eff5ad068d03492ec3fe4644798c0ca68957a5405c7fc3c0d
Formbook
c8fc44d1f9bae45933ba95a20f0aebf0e69f8304ea11a4346e610dfacc8ce049
Formbook
e43d0e1932f1e26cd380234020915d5a5015b312f30d5a6fdb444603550c2e35
Formbook
efc51781bc3e82733e68f330ce4905d57bd3188a3584faa693a18223f17ec7ff
Formbook
f6db3a2b3160b40742b164c6bbe0496368f4fc52d1a16757a49d023f5189b428
Formbook
+ 17'016 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220708-jeng5shec6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Blocklisted process makes network request
Xloader payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
a51eaf921f27f2ff63d8070f4ef8264f3bcdb276ce654c146c779e685b5fc43e
MD5 hash:
132daa89e66c3b792973c2ff6b580744
SHA1 hash:
4b6d195d233bda56df470250905d65bcf6276f2a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d69a699a-bc2d-4f6d-9966-d599afe235b4/
Parent samples :
89ce5deea4986b1d484b34bee77c58899dab5ce01c8f62b9ac2ca8e9bbed79bd
044ae0d297d6156d51d68de2c94b9ce78b3954a99e374a199c225f2272479d34
50561a0a422f836fd850a8bc328533d7f577ca2acac7999666e48f1ff8e4eff0
768e0f1d1cd2d7f24ee1eaaab00783b734696c6e3f8923470a355cceb72556ec
aae769c2b3b5b48de27bcb540924e2fa02b761e8af8db3d76e8ccc1c311d9596
SH256 hash:
9f093f6999c8a2fe65460ac7c41023ef8a2b642f5ce2677f43a650cc7c9370a9
MD5 hash:
7c5ab810c041e4b5b69ba6f02721545b
SHA1 hash:
e4f212298b19f1e079ea3f15b587b104ee32e7a4
Link:
https://www.unpac.me/results/d69a699a-bc2d-4f6d-9966-d599afe235b4/
SH256 hash:
0b8ff14f0b9c204360371ef57c05a2c0355f84c4bc711b2330bea24be63e535d
MD5 hash:
ee6d61a8f83577354ac62d8400af57d4
SHA1 hash:
2797331375b03bdd10c27bce6f616344d4595811
Link:
https://www.unpac.me/results/d69a699a-bc2d-4f6d-9966-d599afe235b4/
SH256 hash:
044ae0d297d6156d51d68de2c94b9ce78b3954a99e374a199c225f2272479d34
MD5 hash:
3dbb4175ca3b6ed5e7945ce8d0104017
SHA1 hash:
9533bfd7ee4bc96ccf74d909d95ed4652501762f
Link:
https://www.unpac.me/results/d69a699a-bc2d-4f6d-9966-d599afe235b4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/044ae0d297d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/044ae0d297d6156d51d68de2c94b9ce78b3954a99e374a199c225f2272479d34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments