MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA3-384 hash: bbb3ebc59630bec359ec8fda07cabcc8fda17991fa32118783a70364403145994cdeb832bb142ce3597003756b2beb19
SHA1 hash: cdc4992d5e425628b1c12c51d64a9105824bacc5
MD5 hash: 1da73d4931cd6893f7b9fc765225a62d
humanhash: robert-foxtrot-five-fanta
File name:SecuriteInfo.com.Variant.Midie.79660.31247.11578
Download: download sample
Signature Formbook
Create hunting rule
File size:167'936 bytes
First seen:2021-03-04 22:43:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a287306e380550984c573d03cb442d1 (1 x GuLoader, 1 x Formbook)
ssdeep 3072:dfALNz2r7MVyAOZCuj8fYEqaL/uBqueQiL:y8rcUZCujb3aLGBA
Threatray 725 similar samples on MalwareBazaar
TLSH 3CF3C7B2B298E416C5BF98B0870199A8B1896C3119D59903D2D2123F2F7DFDDF774A23
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gotv.exe
Verdict:
Malicious activity
Analysis date:
2021-03-04 15:59:10 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/9856d885-4671-40ae-ae41-388678e8ed2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122372/
Detection(s):
SecuriteInfo.com.Variant.Midie.79660.31247.11578.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Sending a custom TCP request
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/629288
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 13:04:57 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=clscx72pun3qgjrdgqvmd4r2lsdsewsa56fzadf3a2xexuqdqzgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
Formbook
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
Formbook
1b9311365ac0c371e7e3656d8d9074a654bfff4677e074f754e5053bca200298
Formbook
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
Formbook
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
Formbook
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
Formbook
e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d
Formbook
e8d51997565e36847aed9b406cb8e7700136b2e6c342709f66fe8fb8d5540c3a
Formbook
f473b9593789f4d0184a1d8f08ebe9187d9c52a3bda939eb4411dba1f060610d
Formbook
ff9b0f1788f165edd1e2811c182a990a352a12453706f85d90eaac2601597862
Formbook
+ 715 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210304-yt4rw34q8a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.pardsoda.com/w25t/
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/36c5d98e-c35a-49a9-b93d-12d2546e17c5/
SH256 hash:
12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
MD5 hash:
1da73d4931cd6893f7b9fc765225a62d
SHA1 hash:
cdc4992d5e425628b1c12c51d64a9105824bacc5
Link:
https://www.unpac.me/results/36c5d98e-c35a-49a9-b93d-12d2546e17c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1047289/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122372/

Comments