MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e
SHA3-384 hash: 2dc75a41ea01a8360b0b1d4365ab77a7141cdc9534fa48d336217ba673510f7267641d57a5910d897a73276f1ba6f37d
SHA1 hash: b851a0ba41ced091fd775b72c91b329d387cdeff
MD5 hash: 75c7da1457f052ae8aa48571898d4094
humanhash: pluto-lima-florida-december
File name:066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:6'669'824 bytes
First seen:2024-10-06 22:46:01 UTC
Last seen:2024-10-06 23:35:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 196608:ebykpmsXWNegK1D2+XUrsLrB9L8kIgCBtorLeeN5nMzl6:uyymcWZID2gNqkI/torLeeN5Mzl
TLSH T1896633CA6363A994D7D9D4B8996120370CE8D28C10BFE422E77C3964D53C923E6ED8DD
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon e08e8ecccc8ef0e0 (1 x Formbook)
Reporter Chainskilabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
368
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e.exe
Verdict:
Malicious activity
Analysis date:
2024-10-06 23:03:53 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/24a9439e-5e44-498e-8fde-20bcf24896d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.13660.12629.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6703132db932c04ee8fda6bd
Tags:
Shellcode Dropper Exploit Quasar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/67031330df01d257b681f239/reports/a9a21ecb-e595-435d-a719-d868ffcadcdf/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4d98994-de70-46b5-a8b3-cf28b1832336
Result
Threat name:
Quasar, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1527486
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527486 Sample: PixpFUv4G7.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 62 ip-api.com 2->62 64 content-portion.gl.at.ply.gg 2->64 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 19 other signatures 2->76 9 PixpFUv4G7.exe 3 3 2->9         started        13 Microsoft Copilot.exe 2->13         started        15 Microsoft Copilot.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 52 C:\Users\user\AppData\Local\...\Copilot.exe, PE32 9->52 dropped 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->86 19 unarchiver.exe 4 9->19         started        21 Copilot.exe 15 6 9->21         started        signatures6 process7 dnsIp8 26 7za.exe 59 19->26         started        66 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 21->66 68 content-portion.gl.at.ply.gg 147.185.221.21, 47900, 49971, 49973 SALSGIVERUS United States 21->68 50 C:\Users\user\...\Microsoft Copilot.exe, PE32 21->50 dropped 78 Antivirus detection for dropped file 21->78 80 Multi AV Scanner detection for dropped file 21->80 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->82 84 6 other signatures 21->84 29 powershell.exe 23 21->29         started        32 powershell.exe 23 21->32         started        34 powershell.exe 21->34         started        36 2 other processes 21->36 file9 signatures10 process11 file12 54 C:\Users\user\AppData\...\protobuf-net.dll, PE32 26->54 dropped 56 C:\Users\user\AppData\Local\...\client.bin, PE32 26->56 dropped 58 C:\Users\user\...\Quasar.resources.dll, PE32 26->58 dropped 60 20 other files (19 malicious) 26->60 dropped 38 conhost.exe 26->38         started        88 Loading BitLocker PowerShell Module 29->88 40 conhost.exe 29->40         started        42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        signatures13 process14
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2024-10-06 22:11:21 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
30 of 38 (78.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azwp7uv2avsc2s6k35dg7ialuubbbnvo2utma44csjghvlwohbha._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat trojan
Link:
https://tria.ge/reports/241006-2py1qsthjd/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
content-portion.gl.at.ply.gg:47900
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/514662a8-f241-4d21-92cc-24e710a088f5
Unpacked files
SH256 hash:
d2f99e47b2e4c82bcc45e74fe83792f5c90e530b02a8b65837f256008f8a1c98
MD5 hash:
34d9f35ea8d1a8c5a793d94b9fd998cb
SHA1 hash:
4a5b7ea6c89dcd73d7c87ec7b3a7b3b266cccd9b
Link:
https://www.unpac.me/results/49d8509a-cfaf-4b31-beaa-b8e5abcc3e66/
SH256 hash:
066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e
MD5 hash:
75c7da1457f052ae8aa48571898d4094
SHA1 hash:
b851a0ba41ced091fd775b72c91b329d387cdeff
Link:
https://www.unpac.me/results/49d8509a-cfaf-4b31-beaa-b8e5abcc3e66/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/066cffd2ba05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments