MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f613fccbf90fbfc8701e31eeab889422e04413ffc7d479cf95dbb143bd7aaf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	0f613fccbf90fbfc8701e31eeab889422e04413ffc7d479cf95dbb143bd7aaf9
SHA3-384 hash:	3dfbfa5643a0cbdb0bf8e6045fb30b4857d91415d16eb443dfe7a79e723273edf512b5b7bd26818d2b7f17d017d48877
SHA1 hash:	cc38c9632cb92747bbc71b860489ece5fdf4e702
MD5 hash:	52ff4e62c3f34e64db731596f6b47c67
humanhash:	quebec-twelve-autumn-purple
File name:	LPO-MDP4.JPG...........................exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	795'816 bytes
First seen:	2021-05-09 05:57:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:XCR3GSQdGcqNLYPXKo1mp+AB0JsXgMp3SMbKO+BAXlHdijGEMB/0iDQ:4MpqNQK0mpzB06X9pCMbh+GXtdhE+e
Threatray	5'184 similar samples on MalwareBazaar
TLSH	1D05123783545F67E97F5BBD2160510017F1A129E322EA49BEF950CF6593F80A2B3B22
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/153427/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/719959

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/0f613fccbf90fbfc8701e31eeab889422e04413ffc7d479cf95dbb143bd7aaf9/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2021-05-09 00:30:31 UTC

AV detection:

10 of 46 (21.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b5qt7tf7sd57zbyb4mpovoejiixaiqj77r6uphhzlw5rio6xvl4q._file

Verdict:

malicious

Formbook

1b9311365ac0c371e7e3656d8d9074a654bfff4677e074f754e5053bca200298

Formbook

4cced354a0867338e39875526796861c483e8475bdacd117dd34ad1c2d89ec63

Formbook

67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96

Formbook

8c12d46d8842e4aea5c000fdea92abc49a86019f74a4a3d37e039a05c0b17c23

Formbook

95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4

Formbook

a173731d16e9140be26ee0a16e6416109b684b71a3523a3c4b85cf101bcd3b1e

Formbook

cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017

Formbook

d6425ada378353c0626235fefe3e06abb0c64dd14418d76a6bde00c10d817757

Formbook

dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450

Formbook

+ 5'174 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210509-x3kt1agzms/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.zeinamarket.com/sumb/

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/28198a89-c969-43ae-b9f4-0f38ba652d4a/

SH256 hash:

0f613fccbf90fbfc8701e31eeab889422e04413ffc7d479cf95dbb143bd7aaf9

MD5 hash:

52ff4e62c3f34e64db731596f6b47c67

SHA1 hash:

cc38c9632cb92747bbc71b860489ece5fdf4e702

Link:

https://www.unpac.me/results/28198a89-c969-43ae-b9f4-0f38ba652d4a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/0f613fccbf90fbfc8701e31eeab889422e04413ffc7d479cf95dbb143bd7aaf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/153427/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample