MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950
SHA3-384 hash: 84453c40d810368f0d16b2348eb1bbad1f27149a5cb11dd70ee7d01e4c680f2b31a2e902b290b4ea3b42b1a1337cb82c
SHA1 hash: 4fe41a2d020638a6446974b30b0f154d9f0b4cb0
MD5 hash: 97ae8e0ee6b8a129ffe8abe444d0754f
humanhash: juliet-edward-beryllium-kitten
File name:97ae8e0ee6b8a129ffe8abe444d0754f
Download: download sample
Signature Formbook
Create hunting rule
File size:477'184 bytes
First seen:2022-01-19 17:12:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:zQ4vg7RxLFYGrwJ2VXM8151L4h9sxw6BadHv5R6t+2HFRltZ3VcFE2CRHMO:kj5qGrKQc8B2oIWtx3VcFGRHr
Threatray 12'771 similar samples on MalwareBazaar
TLSH T16AA4CF07B6DFD925C268677288EF800043B4AF819653E70E3DDC33BC196575BAA4939E
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220721/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1164.27290.13985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed remote.exe replace.exe update.exe
Link:
https://www.filescan.io/uploads/61e846a8d32385db6309956d/reports/2704d211-6879-44c6-9d64-4f28d489d882/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/035d8924-a81e-401c-8bf0-6f0382b8b7d0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923684
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556158 Sample: i4iVs4Q8uR Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 31 www.qiuma.net 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 8 other signatures 2->39 11 i4iVs4Q8uR.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\i4iVs4Q8uR.exe.log, ASCII 11->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 15 i4iVs4Q8uR.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 process10 20 explorer.exe 18->20         started        signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        25 explorer.exe 2 148 20->25         started        process12 process13 27 conhost.exe 23->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 17:13:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07bed83b3f7c13154a148f82ceac3fe9f68a7995ed5a939e91427e611bfaa863
Formbook
12412b8e760d4eb40a652e2f1c97aa3fa90d9d913dac4a94bfb373b5b9fc9074
Formbook
1ba44ecb694a9caadfeef6488cf3f666399dd6ae2b3c795f0c877d0e48df616e
Formbook
459c86bf11535b9d62c895a6677a5eb40d8f0cf3136477e5da746045bf3fb6a3
Formbook
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
Formbook
76d73723ac1e30fad92d7f3fdbb0a87c1d8854ad4e7d3d728805a3f26843085c
Formbook
7f4888239060a411b5a521d19e88bb1158189634f764383c2c2fc0bb84e01169
Formbook
a1d8420052bbdcaf3d318427bfe57edf5cc330fb14aaa5f4a597fac220c2a6de
Formbook
a7aeae9d2c1e1914881ef9c39ae9801c9bc757c58f1bfaeed11957cdc7920a7e
Formbook
+ 12'761 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p86f loader rat
Link:
https://tria.ge/reports/220119-vreasabgh7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
13b70c256ff4ac42d0d1b537bbb6be1eb53c3bba118380466fa6f3088fb89492
MD5 hash:
69d81d89edc24581dcd6c413476179c1
SHA1 hash:
8595d276ea21d569646c27df7cac12ad600ecd89
Link:
https://www.unpac.me/results/5dd443c5-a105-4b1e-b1e7-a939a4ad6a5d/
SH256 hash:
341fdde0e214b3a1288b372f62ac7bbdd8871880a4021acee22427789efd539a
MD5 hash:
a0dac2e7fa3583f6109fbc2dbe73f47f
SHA1 hash:
a3b13e3304be0b842afbf85e33cad709c79006dd
Link:
https://www.unpac.me/results/5dd443c5-a105-4b1e-b1e7-a939a4ad6a5d/
SH256 hash:
ad9b920aac8b7bb26dea731f2e822e27a38fd14565db2cac3c439dba4eb4c2cb
MD5 hash:
8c2bf680706eab9c447b8c4cab0f5c28
SHA1 hash:
9732dfb5179a610f42f1637bc0af2222ef97d81e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5dd443c5-a105-4b1e-b1e7-a939a4ad6a5d/
Parent samples :
10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950
4d905d988ba707e76ad18d72f16b931c1868e3ad4be521bf6142d6b9acf5b28f
e0b985ed9547d4799d352c98ed428c0ba78e3abfec8897ec406ea07f306cb982
bfb63f78c88894c097832d1073716db0d322456da3a2bccc15e57eac15fa903d
ef15eca83cb6c33e63b81fc047ebf055ea8d6855118fc616ec051ec0222307ac
16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626
SH256 hash:
10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950
MD5 hash:
97ae8e0ee6b8a129ffe8abe444d0754f
SHA1 hash:
4fe41a2d020638a6446974b30b0f154d9f0b4cb0
Link:
https://www.unpac.me/results/5dd443c5-a105-4b1e-b1e7-a939a4ad6a5d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/10ff5c8bac82/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1989806/
Cape
Cape
https://www.capesandbox.com/analysis/220721/

Comments


Avatar
zbet commented on 2022-01-19 17:12:14 UTC

url : hxxp://192.3.245.208/555/vbc.exe