MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
SHA3-384 hash: 89cd7566a84689300aed3bac66717b20e993ea6ffb01f9b15e73fda478ae038aa557c334edba82e55750721c085197a3
SHA1 hash: a48bd656c3f69bf08a4c3c445b446e28828120f1
MD5 hash: 7bd21769b4e95e74146168a3148c636c
humanhash: kansas-blue-white-video
File name:7bd21769b4e95e74146168a3148c636c
Download: download sample
Signature Formbook
Create hunting rule
File size:792'064 bytes
First seen:2022-02-23 13:53:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:JW0CvYvoah7jYK777777777777p30iJJVto5U3tEEf1YvbOplfMjb43TE/DxdM1r:4K777777777777p2U3+OphMH4kDofFf
Threatray 14'032 similar samples on MalwareBazaar
TLSH T1C2F4CF0439AB5F3DF1B58BB11DC1ECB4BA98FB232C08B3BD74516686C6A1B408953776
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243794/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.NanoBot.mc.30336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62163c89875593a3cc0acfed/reports/2f4c791c-6277-4cb2-b4fd-e779fffc2df1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/091c7fec-fab8-49d3-b452-2dc3c970c780
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945053
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 577535 Sample: zP336Qjz0q Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AntiVM3 2->35 37 6 other signatures 2->37 9 zP336Qjz0q.exe 3 2->9         started        process3 file4 29 C:\Users\user\AppData\...\zP336Qjz0q.exe.log, ASCII 9->29 dropped 47 Tries to detect virtualization through RDTSC time measurements 9->47 49 Injects a PE file into a foreign processes 9->49 13 zP336Qjz0q.exe 9->13         started        16 zP336Qjz0q.exe 9->16         started        18 zP336Qjz0q.exe 9->18         started        20 zP336Qjz0q.exe 9->20         started        signatures5 process6 signatures7 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 22 explorer.exe 13->22 injected process8 process9 24 svchost.exe 22->24         started        signatures10 39 Self deletion via cmd delete 24->39 41 Modifies the context of a thread in another process (thread injection) 24->41 43 Maps a DLL or memory area into another process 24->43 45 Tries to detect virtualization through RDTSC time measurements 24->45 27 cmd.exe 1 24->27         started        process11
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 13:54:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3
Formbook
40da3a76d7dfbe395b879dc9b090af73483617c65c7c433975490c0a22e4a71a
Formbook
70c6fd4de902c8ccce31380698b123def84b4d209c8b824e1065349a5aee9de2
Formbook
96077c533e59e3b8cf38826e5e37e35f1f2eb44d356eae6575223158b565198e
Formbook
ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd
Formbook
ab4676fc90e455da2127126bfbd1fd167328c79eda83f686ef71dd89266825f5
Formbook
d6b928a4292c14dee552691c4955bdff07d038470ec1419c88a4018fb06bd399
Formbook
e51c60f40080414b74c2eeef62780b28aa31c7875dada6dc2097323a61cc8396
Formbook
e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd
Formbook
+ 14'022 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:3j0s loader rat
Link:
https://tria.ge/reports/220223-q7j4raach5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
3d3f0493a896ccf128eaf386a76d2b87f00eec161466c2e0ca14b422eaaf244b
MD5 hash:
05604bbe9aa3bc21009c98573715ce96
SHA1 hash:
3b061d7645c7e5dfa734a8272028ef0c325f16d8
Link:
https://www.unpac.me/results/752a6f37-ba4e-4984-812d-51da85527063/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/752a6f37-ba4e-4984-812d-51da85527063/
SH256 hash:
0314763483822d158fe862389444547f461a69480ea3ddb9fd60801a627c8d38
MD5 hash:
f54e43ec9e4a56b74def0ed264514682
SHA1 hash:
867ab1b694c605521119c4375dbad1b039f2c648
Link:
https://www.unpac.me/results/752a6f37-ba4e-4984-812d-51da85527063/
SH256 hash:
610d939f1835f892b5d2043c58c0710e05f99386d06dc122afd1aba71b22acc9
MD5 hash:
5b0dad2092d57bff128b7e4c06cd8e28
SHA1 hash:
559872174df90aeea8d360e240c7e0bdedbc2888
Link:
https://www.unpac.me/results/752a6f37-ba4e-4984-812d-51da85527063/
SH256 hash:
01a8c4287e31e776a29a2a88d299e1ab455bcf873a1d70bced096dababfe052e
MD5 hash:
8cf6118f32d7ebe1e32c464a0f0d9da6
SHA1 hash:
465f9f04cdacc702a1905757d89cd1fdfd29add4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/752a6f37-ba4e-4984-812d-51da85527063/
Parent samples :
070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
00618cf758d2dbbbc3565a8063f22ba6a2b1eaba02e36d62db931bf2e24e14f9
d3a05e3c59773122c743c4ba81f62be36f37b0528911c45b3ba559cf38c210c9
24cd6b2fd213f2a5de5c2e24d9ae0f485922dce2e0f3dfe8c34e4f11a8e8c06b
SH256 hash:
070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
MD5 hash:
7bd21769b4e95e74146168a3148c636c
SHA1 hash:
a48bd656c3f69bf08a4c3c445b446e28828120f1
Link:
https://www.unpac.me/results/752a6f37-ba4e-4984-812d-51da85527063/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/070264132f92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2055535/
Cape
Cape
https://www.capesandbox.com/analysis/243794/

Comments


Avatar
zbet commented on 2022-02-23 13:53:52 UTC

url : hxxp://198.23.212.228/PBbin.exe