MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13bd267ca3d7af495f8cd8f72daf3ea997312671eafe9992a88768e4f3ecc601. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13bd267ca3d7af495f8cd8f72daf3ea997312671eafe9992a88768e4f3ecc601
SHA3-384 hash: 5e560d09c1e6bd072b05ffc2945a4b502599e1e721b6a6c47de4496c316a3347c65b9320dfb1326ec03ce5c11f8f30ee
SHA1 hash: 0f90b28aa225725493ef72a9915bf0c5082ff992
MD5 hash: a505757fb36d0c2945985135b1de90cb
humanhash: iowa-utah-video-lithium
File name:catzx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:569'344 bytes
First seen:2022-05-16 12:07:54 UTC
Last seen:2022-05-16 12:51:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:YzY641xAvUKSFAx4mHjJrquGWw6YKnDzhBn7d:1wDROSjJrq2jnB
Threatray 15'517 similar samples on MalwareBazaar
TLSH T1E2C4022E7784CF11C09C58B9D1F3817953F6A08B5232D6862EDA02C65F13B949D8EBDA
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c0b0c6c8a896a0c0 (20 x AgentTesla, 19 x Formbook, 12 x Loki)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
http://62.197.136.176/files/catzx.exe
Verdict:
Malicious activity
Analysis date:
2022-05-16 16:20:13 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/9b4bad52-56cd-4788-9630-52a55b61520f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271071/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62823ebd70e563c383697cb4/reports/623f0fd6-455e-4586-b97e-72e06cdac9dd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/318cdad3-bdb5-4447-9fd6-2c17d19ba5ba
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994878
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 627375 Sample: catzx.exe Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 31 www.totallyglamplans.com 2->31 33 www.baro-drom.com 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 8 other signatures 2->41 11 catzx.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\catzx.exe.log, ASCII 11->29 dropped 51 Tries to detect virtualization through RDTSC time measurements 11->51 53 Injects a PE file into a foreign processes 11->53 15 catzx.exe 11->15         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Maps a DLL or memory area into another process 15->57 59 Sample uses process hollowing technique 15->59 61 Queues an APC in another process (thread injection) 15->61 18 explorer.exe 15->18 injected process9 process10 20 wscript.exe 18->20         started        signatures11 43 Self deletion via cmd delete 20->43 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        25 explorer.exe 85 20->25         started        process12 process13 27 conhost.exe 23->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13bd267ca3d7af495f8cd8f72daf3ea997312671eafe9992a88768e4f3ecc601/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 11:43:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=co6sm7fd26xusx4m3d3s3lz6vgltcjtr5l7jteviq5uoj47myyaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
Formbook
181b33c4cba7fc9aad25283ed5fce1f171f8fb64af1591bfe5c38285a7091956
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
67435ee3c6fd3d272c004256f34020df37fb93fd33c18720053b9d2c1bb19b67
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
8620dfa9694ab0983c78573f6a5d3b6a9eae06907282c6ad4ca84fa7d1b79b98
Formbook
898b47cb2e4d16a7325de16aae14c3c66894467ece923e706c186ee9ab75799b
Formbook
97e3431b489d64fb200c178334d0229cea2495e7f01856ac8571e4f085636b73
Formbook
da30dd86e912cbfcf0cb4306265cedf47604891dc868db7c59dd92d47ad32063
Formbook
da90895ec14c13c733ba3550194ab36a4c64130c5c2b2038c163dff0c505b3e3
Formbook
+ 15'507 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:r007 loader rat suricata
Link:
https://tria.ge/reports/220516-pavzbaagf4/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
6ed09c20ff79ea8706263d0368392f5c149c44acdc194b117cdb78ac03ae737b
MD5 hash:
0005edd776b20719dcf00b7a4af517b9
SHA1 hash:
a639fd6762096cca61dff784962d69dc144b3cb1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d553dd68-cebc-459a-9fc2-2d0fa97f3673/
SH256 hash:
dfeb58b70b3c21dee8fff1d81f145ca814044f75f25585a16b4903875cf651c4
MD5 hash:
bb0e451d1e82849152810ccaac69e9b6
SHA1 hash:
e46b08d65f198212a685d3774342810df5e54c00
Link:
https://www.unpac.me/results/d553dd68-cebc-459a-9fc2-2d0fa97f3673/
SH256 hash:
314f86b5e026b9a235e867bb436801e40d84bab590ce4a3f10558b436bed37f5
MD5 hash:
6955f45fe49cec0af918ee6a3c0bdd59
SHA1 hash:
bab2224e7db105e08a10ee4c31f9cf819edca69d
Link:
https://www.unpac.me/results/d553dd68-cebc-459a-9fc2-2d0fa97f3673/
SH256 hash:
709fdbef8932044e42231f14888aa12b12ddc571e6daba8af86d624a39fa63bf
MD5 hash:
a7a6647650fe0204d1ab042824d638be
SHA1 hash:
a1194aba19ab6190a412073fe1918cd1b559aacf
Link:
https://www.unpac.me/results/d553dd68-cebc-459a-9fc2-2d0fa97f3673/
SH256 hash:
e3044dbd00157a51ca6bad1a06f57c11fd67794d64565758c6c2f32d96d66eb6
MD5 hash:
022447d8eada33b74d98bbe874f72ee0
SHA1 hash:
52900658515b39a68a2df8f6eae4c0cdf2e042f4
Link:
https://www.unpac.me/results/d553dd68-cebc-459a-9fc2-2d0fa97f3673/
SH256 hash:
13bd267ca3d7af495f8cd8f72daf3ea997312671eafe9992a88768e4f3ecc601
MD5 hash:
a505757fb36d0c2945985135b1de90cb
SHA1 hash:
0f90b28aa225725493ef72a9915bf0c5082ff992
Link:
https://www.unpac.me/results/d553dd68-cebc-459a-9fc2-2d0fa97f3673/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13bd267ca3d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13bd267ca3d7af495f8cd8f72daf3ea997312671eafe9992a88768e4f3ecc601

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 13bd267ca3d7af495f8cd8f72daf3ea997312671eafe9992a88768e4f3ecc601

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/271071/
  
URLhaus
https://urlhaus.abuse.ch/url/2197329/
  
Delivery method
Distributed via web download

Comments