MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
SHA3-384 hash: bc04d396d094bf5911c3824fa97dd2e852870b9f21b940b5e52865ff7d085e9a31d8c7f2ab6cba1e353d9df3f28ebb2e
SHA1 hash: 5788c30289d12f69d5cf323049d8d3c3a3e73cda
MD5 hash: 686dc98567009e47eac88e95804b9dde
humanhash: march-blossom-xray-xray
File name:686dc98567009e47eac88e95804b9dde.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:177'125 bytes
First seen:2021-07-22 07:59:00 UTC
Last seen:2021-07-22 08:47:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1eef928161ef7d2982c39057cbea43bf (1 x Formbook, 1 x Loki)
ssdeep 3072:6C/f5NIRlNlcHX0QuidYsPBpdpqbIYW/4Steoi+i1NVKlqxuk7n44QCvx7Ics0cz:RqlNlcHXbUApdJ/4+iXN0lqxNj4xC7rc
Threatray 6'780 similar samples on MalwareBazaar
TLSH T1350402A8A73CA21ED374E5310512EE7A0A8484FA51FFF1F7C7D1184EAA493C41A1D79B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
686dc98567009e47eac88e95804b9dde.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-22 08:02:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/02ba0c18-6d20-4fce-ab79-e034a28b0f3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173248/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37274622.12452.1071.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b174489-6d4a-49fd-ae87-076bd3feee19
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819994
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452405 Sample: wREFu91LXZ.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 34 www.wthcoffee.com 2->34 36 www.avito-payment.life 2->36 38 wthcoffee.com 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 4 other signatures 2->48 11 wREFu91LXZ.exe 2->11         started        signatures3 process4 signatures5 56 Detected unpacking (changes PE section rights) 11->56 58 Maps a DLL or memory area into another process 11->58 60 Tries to detect virtualization through RDTSC time measurements 11->60 14 wREFu91LXZ.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 28 tinsley.website 50.87.238.189, 49741, 80 UNIFIEDLAYER-AS-1US United States 17->28 30 matcitekids.com 50.87.248.20, 49743, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 14 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 msiexec.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952/
Threat name:
Win32.Trojan.VirRansom
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 00:59:00 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chmey744k6oc4whuvtae2senl4ogzqcdsyeqthvl5rbeit267fja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cf80c8f64e7d607ee9088aaae888815ef75788f4f425b8fed868f0b057abdee
Formbook
1a222b6d3a94cd1c8447b52f150e6d7dc20842da0d2e81ccbd0d6ecd5d01f59a
Formbook
39d6d6751f8690fc26a41d18d14f076fce5cdffeceecdd1738d731e4ce7ddda5
Formbook
9a2b8fc3a21d660a2d8526bd1816b1304d60046e26c6d33553701d3883a6d31c
Formbook
d8dcaea8f4111f3d9f443de90a88ecc27e9e3a878d86d923738059a6c0bafe7c
Formbook
+ 6'770 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210722-3e5yzcryas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.extinctionbrews.com/dy8g/
Unpacked files
SH256 hash:
5ff15cb9a8d67710a630867ef622b6bff24f3ee52ee6844c9027b0455a71e2fb
MD5 hash:
c8a9188528db8956650b728924c2e513
SHA1 hash:
d3c6cb5fa7ad84cf1b41ff56ea6e2843beb11642
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c6fc55e-6a69-4c18-94f4-b839f2a1abc0/
Parent samples :
0fdda8d99fa4bec3e24b20ace57759d6af0f643d835be41c1be0e93ebfc2970d
8b39bf75ce8ca2ecadafeb01a2ff33fc07419198e5b222bf20385ecbf2da0ff4
35d5ace8383b8bbf1b4f1846b8f4c852899bad23312c02a1fa413c4d913e8603
0269bbd8953a859b8f56784a8321414cb8e51f74a8c95d9121c7fa484db2e34e
968e33752d87dc19ca806c2debcf125a50f6223b5732eb3191b9d9c9db9cf4dc
b21e4b93bd73868c7dcd13384c55c8c9b562abd7d858497a45f8a804ff639866
8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce
c92701cd811149250de5cf99296d191459a85dd7776088394ea3e31e6beb26b9
df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0
0cf80c8f64e7d607ee9088aaae888815ef75788f4f425b8fed868f0b057abdee
d8dcaea8f4111f3d9f443de90a88ecc27e9e3a878d86d923738059a6c0bafe7c
9a2b8fc3a21d660a2d8526bd1816b1304d60046e26c6d33553701d3883a6d31c
1a222b6d3a94cd1c8447b52f150e6d7dc20842da0d2e81ccbd0d6ecd5d01f59a
39d6d6751f8690fc26a41d18d14f076fce5cdffeceecdd1738d731e4ce7ddda5
11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
a0c7b3d44a5cfcda917fc80c099da5ab3de582ff7c24f1373b4bd25f88d61e52
b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
47084efc1f6a0205db28ae519b750bb03bbfb310609f9924e999e47bd99838dd
3759a4136f3ab450b1c26121511bdfea101baf948b580af60516c8c2d5c7b900
537a1b1e9a633875a74664967b2e62803f01b619fb26df9b4762b6795ee1b0ec
ab101d01bcc79b6835eeeae5c3e89b0857fdd3b32e007b15ec5541a5f4aa9e00
ef925865b194ddd0d59233fec99f8e3608a623c3d4f7eaaf34b9af57f9bb0a82
f51f764b6ee4051c097c29478b9fe1bea52df1be495c236bfc622477533e5ccf
84679ca59603f405a5096114188af75d5dcc3680ef795e446bd358f48cf12046
56037f063f73db6d972501996ef47add6b861c01140c3d8d51cc08de64b3d73a
b840f470d0cb4edaa85663b15f539593e3c31d81cec9e9ed1bb1c2539fc8d20c
56d6f10098e58e9b99da5ac5a8ed3c9a1f37eff6b2361907316cf3222f8652ec
a456a011d3554d95939f148a5bd1e46c5fc13cdf3e35e76da3d9117903bf89b5
368b6977de3879f6399b1199a740aea7457cbdc53aac44823d3d3f704fac1d7f
273f8137fbe63ffef8f64fa9efad27fac451ffec71edaf1a4a7769a277a2379f
SH256 hash:
11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
MD5 hash:
686dc98567009e47eac88e95804b9dde
SHA1 hash:
5788c30289d12f69d5cf323049d8d3c3a3e73cda
Link:
https://www.unpac.me/results/8c6fc55e-6a69-4c18-94f4-b839f2a1abc0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1335110/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173248/

Comments