MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
SHA3-384 hash: 4257e9ed6d7362c59cbca20f75dfb8200bfc20431f7b47dccc17c3b2e1bdc5621884b9f8ee6ef294cc742e710e1ccec6
SHA1 hash: 55d4645e42f4104229ced1fff95532ee7bd6632a
MD5 hash: e32e254b685cd1709f4ef86b5441d84e
humanhash: aspen-ink-two-may
File name:e32e254b685cd1709f4ef86b5441d84e
Download: download sample
Signature Formbook
Create hunting rule
File size:650'240 bytes
First seen:2022-06-28 09:29:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:uYsu62iN/2iNBuS16rIu+BKn4lVqQB9IBlRn7mbvgPXjWuKkPRxliW1A9sOabdkZ:HC1J1rUrIux46cItyTETvKkPRrh9a
TLSH T157D4AEDC325075EFC897CD768EA82C64AA60647A934BD203A46316ADEE0D5E7CF105F3
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283842/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62baca5c22ef321587b6e272/reports/b1df6781-52bc-4663-9e05-5bc012174ffe/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8c5d51b-e980-43f4-90bb-73e62a1cb3dd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021045
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 653539 Sample: Thkyk7lQBp Startdate: 28/06/2022 Architecture: WINDOWS Score: 100 26 www.shermans8.com 2->26 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 8 other signatures 2->50 9 Thkyk7lQBp.exe 3 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\Thkyk7lQBp.exe.log, ASCII 9->24 dropped 52 Detected unpacking (changes PE section rights) 9->52 54 Detected unpacking (overwrites its own PE header) 9->54 56 Tries to detect virtualization through RDTSC time measurements 9->56 58 Injects a PE file into a foreign processes 9->58 13 Thkyk7lQBp.exe 9->13         started        signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Maps a DLL or memory area into another process 13->62 64 Sample uses process hollowing technique 13->64 66 Queues an APC in another process (thread injection) 13->66 16 cmstp.exe 13->16         started        19 explorer.exe 13->19 injected process9 dnsIp10 34 Modifies the context of a thread in another process (thread injection) 16->34 36 Maps a DLL or memory area into another process 16->36 38 Tries to detect virtualization through RDTSC time measurements 16->38 28 www.akane-otome.xyz 183.90.228.16, 49782, 80 SAKURA-CSAKURAInternetIncJP Japan 19->28 30 name.shoplazza.store 104.18.129.14, 49780, 80 CLOUDFLARENETUS United States 19->30 32 2 other IPs or domains 19->32 40 System process connects to network (likely due to code injection or exploit) 19->40 42 Performs DNS queries to domains with low reputation 19->42 22 autoconv.exe 19->22         started        signatures11 process12
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 09:30:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bt5mt26z4c5vulysr44ltb46j4idecgikwngrimlwcm7uk4l6gha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nn40 loader rat
Link:
https://tria.ge/reports/220628-lgf7ysgdhk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
eb34d25f79cf69105cc87e8e8f902fce7bc2dc4c80d5c1dc510cf60b3859dfb3
MD5 hash:
f8fbac0b58d026c8dd80df878e2e7774
SHA1 hash:
69de8ce161c2fdd0d10aee01a20a1e3b2b51237c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/b87add44-ffc1-498c-8001-af778c6001ae/
Parent samples :
9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/b87add44-ffc1-498c-8001-af778c6001ae/
SH256 hash:
87577e6c69af07ba0e6383a2a152b59a39d6b336631ce4baa250bd9f8adce03d
MD5 hash:
9b17d560e68eff0da30f79b3c391c9a3
SHA1 hash:
5ceda263b1ea13401f652c709dd884d58945fe57
Link:
https://www.unpac.me/results/b87add44-ffc1-498c-8001-af778c6001ae/
SH256 hash:
9c034afa5d5ebda57c357a67f6644c9f6220e24b8f99346a6558be218343bb1c
MD5 hash:
608c324d7d6ec8166fbe6c81d66fa14b
SHA1 hash:
4a7ef146b53afd968a9788e9b312462aef664c4f
Link:
https://www.unpac.me/results/b87add44-ffc1-498c-8001-af778c6001ae/
SH256 hash:
d8dbab17ac239514d968c8560719cccee294a367b6e90400c88a17312e54f35f
MD5 hash:
1b63455f0cfeeaf9c551f7945fe4b33b
SHA1 hash:
06a614a61c96f1424005927e259451ba43ef3c63
Link:
https://www.unpac.me/results/b87add44-ffc1-498c-8001-af778c6001ae/
SH256 hash:
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
MD5 hash:
e32e254b685cd1709f4ef86b5441d84e
SHA1 hash:
55d4645e42f4104229ced1fff95532ee7bd6632a
Link:
https://www.unpac.me/results/b87add44-ffc1-498c-8001-af778c6001ae/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0cfac9ebd9e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/283842/
  
URLhaus
https://urlhaus.abuse.ch/url/2251988/

Comments


Avatar
zbet commented on 2022-06-28 09:29:06 UTC

url : hxxp://198.12.91.239/sbuka.exe