MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f
SHA3-384 hash: 4d386b483795f31dbe5136879a069afb540151a3de6bb44802f16119e86164e7bce2bb273032c15efa8fa577f6b81cbe
SHA1 hash: c12da1a8a587b7a2eaf06c0b3607a56b1a85c57b
MD5 hash: b8fbbf48619bf863aba9e5eb8fb3f81e
humanhash: sodium-lamp-mobile-speaker
File name:b8fbbf48619bf863aba9e5eb8fb3f81e.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'186'304 bytes
First seen:2021-02-01 09:45:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:2F2G5pU69Re0zAZnZkAa6V2piFAQPdJXWjCQv:nEpwRZZkt6eiFAQxQv
Threatray 3'619 similar samples on MalwareBazaar
TLSH 53457D212288AE04F9BF9B37D978545093FFAC13DBB3DA2E64E4349D9576B11CB21702
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9e1772002f8791df8ccc8534c234e971.rtf
Verdict:
Malicious activity
Analysis date:
2021-02-01 09:07:05 UTC
Tags:
exploit CVE-2017-11882 trojan formbook stealer
Link:
https://app.any.run/tasks/5017044f-36cb-476b-8896-ab7cef6447e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114452/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595236
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346655 Sample: NsNu725j8o.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 10 NsNu725j8o.exe 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...30sNu725j8o.exe.log, ASCII 10->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 NsNu725j8o.exe 10->14         started        17 NsNu725j8o.exe 10->17         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 32 pandabutik.com 78.142.208.189, 49770, 49784, 80 VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi Turkey 19->32 34 primajayaintiperkasa.com 103.253.212.114, 49753, 49779, 80 RUMAHWEB-AS-IDRumahwebIndonesiaCVID Indonesia 19->34 36 27 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 ipconfig.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-01 08:40:32 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkay4dlonav6rofxutwcx3g3fxtmaxkvapdphf5ghummz4h2tmhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f
Formbook
2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494
Formbook
31f4d8bb8797649e9de2f8adc7b7e679775784d33d686d7c76429c4fe97a7c07
Formbook
3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2
Formbook
40acc1cfe1986fee292469e21c175d68bed0502f46af424d0cd8ec42e0ead72d
Formbook
73acf08c9a3ee5b8208b8e21f1c88d9820b6bfc58ddbf1d7eee2029b7626d271
Formbook
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
Formbook
7dfb2d60095157148fcb26bdfc4270ce6d5e3678c60628b8f683c4e1adbd8043
Formbook
bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae
Formbook
d27174550c627e2ae425db9dc83ed7cb1856034184c6ce333efcf383506abd88
Formbook
+ 3'609 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210201-fj2xjsgqv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.rizrvd.com/bw82/
Unpacked files
SH256 hash:
d6ac94939e1a7c4970b5762b2e87f80ba62c637722428bb7695e4b0ab0e532af
MD5 hash:
8a9645c3403eecad337d866d563e38d1
SHA1 hash:
8f93977d7a32aedad622833fb3ebf0ae09753496
Link:
https://www.unpac.me/results/a77efcea-8ebf-4ee9-af82-3c3ca70af2b3/
SH256 hash:
c243434c3473b6feaf3e361b1ec43dbffde361be836a84297d2b8cf56f174271
MD5 hash:
25f46d336cd3ed7a3a1281396ed4a1b3
SHA1 hash:
bda14180e0780e6298a60f9fbfdfa02ba2bd23f5
Link:
https://www.unpac.me/results/a77efcea-8ebf-4ee9-af82-3c3ca70af2b3/
SH256 hash:
0741117b2fafba8a3a8ae382fc10786bb2529a8432ce0577c6935e8526ddac5b
MD5 hash:
68636a5ff4233a2c2eb38ff504bc0433
SHA1 hash:
de4bb3f7abdfdcb03af952cae091d98ed8ed6f71
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a77efcea-8ebf-4ee9-af82-3c3ca70af2b3/
Parent samples :
0110a52c51d060db8c4b9f3d654340fdf954bd7ceb47956e235ebe5921a57df4
7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55
38a0bf5c98a42c67d5612b0b377c51725caedc64b19f9c4d20f0ebc6fe972c0d
cd1cdd19d3500f9947de10caa28d3fad75bc207faa10b7f9f7aab88c720dea1b
8ec223664a9b73308e2fdd73bcaa525d4a152a0b9ab799889539d98efcc07c09
bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae
6c953b93cf75e79db29a1ae424ee8da08962cbda1ec84a49281cccb51013594b
9335b040e7823155fcde32d1cfd5268db42e2f9c191e2144269800adb2a820d8
4924681f7988a37fccc12475b5cf9fa0013fb00d1a8da2dfc4c4e25236b35d7d
3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2
ba2963b7da8a1df3e40441825654972ce2a5903c9f27bc081e42795c296c80eb
b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55
204cd2ef2cb64300f46ba8ce7dae3507b6861cd9225e3bae6fc2303360585ef4
38f7338384d3c8576e23aa876f7819c1f201e027bb586900aca0411ea665f07a
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494
ed035bd3cdab82c607f296fd966c4064f0f04c9011d9e7744ca3e7739ed7269b
27196c6c79c8cdb02b4ee6b1028ec11aa38bbeea6d94d956a22ab1228c65b733
1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab
31f4d8bb8797649e9de2f8adc7b7e679775784d33d686d7c76429c4fe97a7c07
b073ef66058998fc6ee7c61fb6eeaffe28a816f36dda995edcd1a6e893deedd3
73acf08c9a3ee5b8208b8e21f1c88d9820b6bfc58ddbf1d7eee2029b7626d271
40acc1cfe1986fee292469e21c175d68bed0502f46af424d0cd8ec42e0ead72d
2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f
d63c5bbfea14e5cbfc013e0df1c94ff9eb0ea87d95bcd3fb8ff9047cd58dc8aa
9ba1b16e84be57d419e0a19248f13f186bcf9a2d98e97936e16d1fceb0357b97
7dfb2d60095157148fcb26bdfc4270ce6d5e3678c60628b8f683c4e1adbd8043
ebbcc767acc5337309a6f0770c52236b131cbcffb3e843e4bf132489cb2001cc
5d85f149c5450263866d98fadff08504e1a05837cdead5792f291303dfa3438d
0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f
958cedb2b814c4f1e6c4cb514d5b3eff4a816777baa9533f67f3106b4e18920a
8a432739f45c70d580007c9e4586d826507821bd978c192a5f99c51e85444e6c
e2f640f8cdc89a54ecd8d1a0c8d4b8a4d1e6560f086fd82d05e0010d95a1d9e9
2389280eef390b0fc6e10447d91e265c3c9fb0de749707a8aeeb1a72de2269c4
SH256 hash:
0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f
MD5 hash:
b8fbbf48619bf863aba9e5eb8fb3f81e
SHA1 hash:
c12da1a8a587b7a2eaf06c0b3607a56b1a85c57b
Link:
https://www.unpac.me/results/a77efcea-8ebf-4ee9-af82-3c3ca70af2b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/986080/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114452/

Comments