MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a20250dd45ed290bfdae84a7d120f825a98430c4b1aa8fb1dfe5d10ecaaa9d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments 1

SHA256 hash:	0a20250dd45ed290bfdae84a7d120f825a98430c4b1aa8fb1dfe5d10ecaaa9d7
SHA3-384 hash:	76eac5691c5b8996292c9f4d91dad272d31a5757e470f07beb127518b76f8c048d91dc393345a9d105e9e2cf3c62a763
SHA1 hash:	e514a5b3ab7e26c9072e995c2b6498ba21ec01c4
MD5 hash:	1fc5ef2428c9e2f061038dcd3278e103
humanhash:	skylark-charlie-mobile-music
File name:	1fc5ef2428c9e2f061038dcd3278e103
Download:	download sample
Signature	Formbook Create hunting rule
File size:	276'994 bytes
First seen:	2022-04-13 11:35:37 UTC
Last seen:	2022-04-13 12:44:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep	6144:zjgg1F8ElBaV9sL8By+ZKReKtJSuVq7Iics8w:oK8ECA8bZEeiJQ7INrw
Threatray	15'016 similar samples on MalwareBazaar
TLSH	T1F944136336DA8937D7F26A7089BFDBF6E2FE6161041445CB53944F777E12A8214070C6
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

http://103.151.123.228/cloudkeeper/vbc.exe

Verdict:

Malicious activity

Analysis date:

2022-04-13 11:24:13 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/a18b5218-e767-453d-9036-f35de3ce304c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/263415/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.26683.469.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13756/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe formbook overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6256b5aaeab80a7a6c091956/reports/fbc5d1ab-8860-4340-a838-edef7103665b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3367e42d-e13a-4278-a70d-95d8c0557efc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/976128

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0a20250dd45ed290bfdae84a7d120f825a98430c4b1aa8fb1dfe5d10ecaaa9d7/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-04-13 11:36:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=biqckdoul3jjbp625bfh2eqpqjnjqqymjmnkr6y57zorb3fkvhlq._file

Verdict:

malicious

Label(s):

formbook

Formbook

209f77f7c06469c75125d639bdca79aa1751e1d76a7288d349f113f9c75b7da4

Formbook

224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478

Formbook

487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e

Formbook

5cef577cfd13f14d2c7468515dcd2da6bdbcbfe9e6778bf2dbf4ee212f273372

Formbook

91d99c65d090258a349298db78014461d0461e916733b3be3247410e05c31d0d

Formbook

faff2bfbf22cd4f7d3d79ae04fbff8db10e9e0c5416dd27644f5bcb0d5dfd98c

Formbook

fc0298b6968720affc88ee57d037699606f5bdeb5d6d47db892c4fec474c062d

Formbook

+ 15'006 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:ud5f loader rat suricata

Link:

https://tria.ge/reports/220413-nqj2babhel/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

cf67ed89b1ad5002a948232de75f9cc28bc8dab6eb609a93ef254557ca4a5a48

MD5 hash:

20d4c91137cd70ee101d7c25274cceff

SHA1 hash:

37f85eee3785fc323de9546f3f1034c80fc24ef0

Link:

https://www.unpac.me/results/ee6edbba-293d-4ab3-929b-e036140c2c0a/

Parent samples :

5cef577cfd13f14d2c7468515dcd2da6bdbcbfe9e6778bf2dbf4ee212f273372
fc0298b6968720affc88ee57d037699606f5bdeb5d6d47db892c4fec474c062d
44c1010aaaf8086dc6358f391f6d957057246eb0e6313b40a05a80e2ec9ef9a9
91d99c65d090258a349298db78014461d0461e916733b3be3247410e05c31d0d
a8bbd4ca2516a674b7d8b3b75cdd35f939af1cb503ea3eac66493e3f74984f1b
1a852a9f9db5ed1241ddddf3c62f2d258754ffdf8df9a53bfb43da779f8faf77
434655800ff8d745df2462881f0fe044f2af72512217dd531beffbfea0e2b1a6
9e5adcaacfb1ac132bda2322f07bea8a6e8520fbaaa2db812cb8ad6bb6c49512

SH256 hash:

7d1fb1ab60788b24e9f209a1902a2bf990a0376c483fec7b1f9982fa704a4a48

MD5 hash:

de95ffbe81360abd543868edd03d00d7

SHA1 hash:

15e3caf341ba348161b8bc7f301a40a16dcc34d5

Link:

https://www.unpac.me/results/ee6edbba-293d-4ab3-929b-e036140c2c0a/

SH256 hash:

0a20250dd45ed290bfdae84a7d120f825a98430c4b1aa8fb1dfe5d10ecaaa9d7

MD5 hash:

1fc5ef2428c9e2f061038dcd3278e103

SHA1 hash:

e514a5b3ab7e26c9072e995c2b6498ba21ec01c4

Link:

https://www.unpac.me/results/ee6edbba-293d-4ab3-929b-e036140c2c0a/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0a20250dd45e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/0a20250dd45ed290bfdae84a7d120f825a98430c4b1aa8fb1dfe5d10ecaaa9d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research