MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05400e2e332ef1360d0e1a85c751d4e33e1269e7d5087ea695fe53b62180a121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments 1

SHA256 hash:	05400e2e332ef1360d0e1a85c751d4e33e1269e7d5087ea695fe53b62180a121
SHA3-384 hash:	b358ac3ad7f39054c4924ee2c38ddbf8d2021f6c4f36589b665c8ce6a1f3436cb0c311c80e8578280eade738e916e956
SHA1 hash:	899e1594db5f3f217fb37d811e2f24566ea0e81d
MD5 hash:	1cbd24020eb46915e39fdd423bb295e1
humanhash:	salami-eleven-oregon-pip
File name:	1cbd24020eb46915e39fdd423bb295e1
Download:	download sample
Signature	Formbook Create hunting rule
File size:	955'904 bytes
First seen:	2022-07-27 14:27:53 UTC
Last seen:	2022-07-27 15:33:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:8c8w4UZvybcv8vAXQDPKBvDxYoglcLnxpP:8c86d8ryxDqfcf
TLSH	T17015125C27A81F07DDFD43F8401004089BB435A635A7E7AC9EC2E0DE2F66B615A4BE5B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	2188c4aaa8e8f236 (5 x SnakeKeylogger, 4 x Loki, 3 x NanoCore)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/294655/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1452.12124.25309.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62e14c2b7dd0cb902f05e77a/reports/b7750303-2d07-45db-9ebf-4c8fbce384e1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c36a635a-05a4-4065-8cdc-16bc7c4a1d9d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1041887

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/05400e2e332ef1360d0e1a85c751d4e33e1269e7d5087ea695fe53b62180a121/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-07-26 22:38:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=avaa4lrtf3ytmdiodkc4ouou4m7be2ph2ueh5juv7zj3mimaueqq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:a2es loader rat

Link:

https://tria.ge/reports/220727-rszrbsefhq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader payload

Xloader

Unpacked files

SH256 hash:

ae5dd0a7fc20901973744dacd5ca578abf254cd8d8641b9a0e24826db97f953f

MD5 hash:

582a38cd558a01e3c0b65c405430e5af

SHA1 hash:

d76316fd02714d58f2d5628622e344acdd721215

Detections:

win_formbook_g0

win_formbook_auto

XLoader

Link:

https://www.unpac.me/results/0c9502e3-00c3-4f3e-9060-4da16a92a01b/

Parent samples :

b138102457454a3101f17bba4da29d991c4330f387df3d0db2165aaabee608d2
0793dfe009772f771270e113edc94fc7a19fa5d7f53a3e858f9775319b9d536e
98f3a321eecbb419352f9ecbf3ef45a404ee280d18aa148c4e1dc80867cc09a2
00509d2de60dcdf523ea44b90e5dbbb510f6298bcd9810686ea625d33160176e
b326a836015d646984f10a251e4b6678a9822a1f365369512b80f0928b35299d
f6c20c48de3ffdb54b94206a36926206993732ee873b0e0916e417ff93e9f878
7ead9b6c89ec926f1b8f0f793e305315f9bc59876e14b57653e47f336648eafc
25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
a1fda3d25de841c11ff5dae7f624462a8ee8b66ad97ead52b2d69f88875c3e5a
29706d5927c63e4ef3241012c1a81d1ca0382fbaa05d7f115c39184a03c598c3
f6b709d4d41b801c2f5df85f05f3396ab9a2d0b1851ebdc5e434b03c184dacd6
765c9f36ef8ac4c126c700a74d79f85ad6f02cc7e3539c1f79337efd9fd21bf6
329aff3de19577cdf2a9cba76a69b538280b0984577226b52ed9eeb193bbe0e7
05400e2e332ef1360d0e1a85c751d4e33e1269e7d5087ea695fe53b62180a121
215e5a85cc6a627b1abdf8744a7b20c3c3f2663ec5e59264d40679f004d4eca0

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/0c9502e3-00c3-4f3e-9060-4da16a92a01b/

SH256 hash:

9a1a00a9c01ec767a0c2e40f8823790b2c50612b494e5c7f8981035a435a1bec

MD5 hash:

7a67f30376534220d4acb0de4f22a0a8

SHA1 hash:

72b3850d8971f5c8e5435cf4dbc37460ed490f87

Link:

https://www.unpac.me/results/0c9502e3-00c3-4f3e-9060-4da16a92a01b/

SH256 hash:

de8bd801fc54ab73a06f109cbd690cab70ddb2010578d4c1947046a63e926121

MD5 hash:

57d049fbedacb52e5ff46eb658bc6b77

SHA1 hash:

712b373525e2fe37b1eb5d89bdff5b7a42851aa0

Link:

https://www.unpac.me/results/0c9502e3-00c3-4f3e-9060-4da16a92a01b/

SH256 hash:

2cf27b8d84779fdb5a67a1d57ab51858992f8b4a34c3b4fc18e318fdd01d9316

MD5 hash:

5a0b2a3a51db2f956077af739ba051a1

SHA1 hash:

4281f6e5ce03ad0b69b1c2855ce251e1bb227c39

Link:

https://www.unpac.me/results/0c9502e3-00c3-4f3e-9060-4da16a92a01b/

SH256 hash:

05400e2e332ef1360d0e1a85c751d4e33e1269e7d5087ea695fe53b62180a121

MD5 hash:

1cbd24020eb46915e39fdd423bb295e1

SHA1 hash:

899e1594db5f3f217fb37d811e2f24566ea0e81d

Link:

https://www.unpac.me/results/0c9502e3-00c3-4f3e-9060-4da16a92a01b/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 05400e2e332ef1360d0e1a85c751d4e33e1269e7d5087ea695fe53b62180a121

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2261860/

Cape

https://www.capesandbox.com/analysis/294655/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-07-27 14:28:05 UTC

url : hxxp://103.153.79.87/dhl_invoice_2337990/networksec.exe