MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0afd047607e52ba3e4994fd71a66964ab2af835b661746cf12ab53368a40b7ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	0afd047607e52ba3e4994fd71a66964ab2af835b661746cf12ab53368a40b7ad
SHA3-384 hash:	44aae40c2f54ea8238f5d52a57b9ac9c0b5c3b313afa8279cce46976b6c7807db02a38f84d7f32824afff24d4149b487
SHA1 hash:	3681e97e3f5ab122715185f8d709ad532d4ab28e
MD5 hash:	fd122178ca3830214dc968e8d43ea612
humanhash:	violet-finch-eleven-aspen
File name:	SecuriteInfo.com.MachineLearning.Anomalous.94.27679.2045
Download:	download sample
Signature	Formbook Create hunting rule
File size:	422'912 bytes
First seen:	2022-01-24 12:59:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:wIoyiKihh4e+9gYjzNCJxH2mlJzoWDwl:Rfhioe+9rNC
Threatray	9'717 similar samples on MalwareBazaar
TLSH	T12694F14C729872AFC467CF7ADDA01C10E66174AA1327D747948B129E9E4F38B8F116F2
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/221945/

Detection(s):

SecuriteInfo.com.MachineLearning.Anomalous.94.27679.2045.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit keylogger obfuscated packed

Link:

https://www.filescan.io/uploads/61eea2dbf81da814af9feae9/reports/c945ca4d-7228-4692-a5fc-18eb56c3c21e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/64cbdfac-704a-4e83-ba3d-83a81a06359e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/926323

Signature

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Accessing WinAPI in PowerShell. Code Injection.

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Remote Thread Created

Sigma detected: Suspicius Add Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0afd047607e52ba3e4994fd71a66964ab2af835b661746cf12ab53368a40b7ad/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-24 11:02:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 42 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bl6qi5qh4uv2hzezj7lruzuwjkzk7a23myluntysvnjtncsaw6wq._file

Verdict:

malicious

Label(s):

formbook

Formbook

37182811d9f3a0a2b3126266dc70a5253c4745de7e18e75a4c29393fbdedb142

Formbook

4543a3d8d235564d4ee40c91668182795956ab149c15fb08afdc89111ab80082

Formbook

838646bc9841804d7671fb25b3fd5d3e67e91c1d341c7125ce63ad436ada5f26

Formbook

996cc6827a24a8d9ecce1b82269dbbfefd30142f72de61e723173422121c892d

Formbook

d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633

Formbook

dac74494f01d415ffd11b8d9dfc13b8910fd731ec1d2351d2c5115228d252cf0

Formbook

e4999525a5626a76247a8f02a9e08c0ea35f13f717687b8a966cddb72f8adc6f

Formbook

fdbca30c6db5b5bc5e1a954ce387deec23d7b77ff249ec916bcabb0a5faeb783

Formbook

+ 9'707 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:s9ne loader rat

Link:

https://tria.ge/reports/220124-p8nmwseghn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

a7c9191926984533176b429c96b58523446d7d9d36c14abf7aa4e2e0457ad63c

MD5 hash:

98e44131b70d108dec197a48e5cec096

SHA1 hash:

c002a66b36e29bd79ad5b3f32d0a661ba0fd16f8

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/412a7b99-cf4c-4b34-891f-00defdb1b6a2/

Parent samples :

0afd047607e52ba3e4994fd71a66964ab2af835b661746cf12ab53368a40b7ad
ac9e5b47d04e1bbf51afdf5ede13d16ad23dadb174eb3ac0aec1c26d255b807d
ad50215575f299a7cc0aa9616f5e6f4f4ad43ed8d51f15403a519b8871d3547d
dec8cfd95e7f3b0db46981117fe82eb59daab642c20c1e1ecaffe45df22af8c8
beccec456cf3e74a220ae1c8fa65cc0f4ddef57bee5d4f2ec71ad7b99da52369
4f538ee6b8d7c6e779e1af1945dbcf1903947f45e707e68b1be0ce6a43b8041f
20142adbbec4e79cf460d90f427a580223ee0cab8e7946fb6e21133279949750
69c77fdb89867a4004fcfc8de12e3ea749456ecd8e7cd9a3e316e9b7d5093f48
d368e6da00a94aa2a44145cde60d85f8b29cf8634893769f243f503524e24043
4efd8009a4be3d178d95134fbea3a30b01f2053d60414bc77072330b58fb26ad
49811dca565bead069108819f9ad132a2214364381f97dcf7f0f439614cc8ff4
ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628
1575198d7ad60f56d2a14359f82de8b6d0a5fc3278c1b6dc55716b17873ab54f
9bceb9680d39094087add5289a7e19aa93168faf9c5f2465700b117d59e8d841

SH256 hash:

24dababb2670cdb4fdc98f11ab48e8fc0a44ce20aea877fb745280f853f9a63c

MD5 hash:

bc6f922c2742d7fcf828a0d4d0276750

SHA1 hash:

069353b0142b81289358f492e886798610f4a438

Link:

https://www.unpac.me/results/412a7b99-cf4c-4b34-891f-00defdb1b6a2/

SH256 hash:

cae5d7f9136b76b27122ea23425a09a65c1afacc3f757bac86a92ffaffb6a815

MD5 hash:

009e9d6abba4441b74819d1cd04d60ef

SHA1 hash:

5edfb4671d22ed7c9308da7e9713fa3fb03ff4a7

Link:

https://www.unpac.me/results/412a7b99-cf4c-4b34-891f-00defdb1b6a2/

SH256 hash:

8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1

MD5 hash:

efdf2c54a74297c24bc73285376c432b

SHA1 hash:

564f25afb6c5599cdcd5fafaff32c1475e581af4

Link:

https://www.unpac.me/results/412a7b99-cf4c-4b34-891f-00defdb1b6a2/

SH256 hash:

0afd047607e52ba3e4994fd71a66964ab2af835b661746cf12ab53368a40b7ad

MD5 hash:

fd122178ca3830214dc968e8d43ea612

SHA1 hash:

3681e97e3f5ab122715185f8d709ad532d4ab28e

Link:

https://www.unpac.me/results/412a7b99-cf4c-4b34-891f-00defdb1b6a2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0afd047607e52ba3e4994fd71a66964ab2af835b661746cf12ab53368a40b7ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/221945/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample