MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa
SHA3-384 hash: 26ef04646b1cee174c3a11440d461c4269764d5f58d6d5b137e93d8286220a77129cb8413ee21a55e9032d2125a806f9
SHA1 hash: db2eaf0d8a8a9f2856d9a9b0cc9ae7c9aaf35c86
MD5 hash: b4536ff04a41cb627463ed157b9c7521
humanhash: juliet-table-speaker-wolfram
File name:order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'028 bytes
First seen:2022-03-30 11:21:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (723 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmCatx5SFXIcsCbeA79KHt8SCfqlmDwB/NCl:HNlCIx2XIcsrk9uyFwNI
Threatray 10'470 similar samples on MalwareBazaar
TLSH T1CC34126467F1C073E9E2083B0CBA95A96669D55190322B4B17302F9C7F353D5DA0DF3A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/259642/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.4865.19521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12094/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62443d5ea19c649412ac0282/reports/7c428327-8d0e-463c-b0e6-ed5913aa1e3e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fa6abd4-4cef-4c19-aa5b-212d61945efd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/967519
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-30 06:51:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crgyxhtx7hbw3pjhdwcggxg2h2zcwrynxnsomoy6rgaec5bzdd5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c783c06aa669b0133618672069fba39409a6eda891e48e172d679ed0c1e8fef
Formbook
2c9eea8d5b6618d104ec61f30308a1e872139ff87a6a9f18bf3d7dd442f9fcf0
Formbook
5d0a8a5478876026ee661b50518e44f95308bf20e1e512c3608f97f97aed3384
Formbook
6c827d61cbe6d4b9c2851c1c234353265188e805cc27ebe195b9133e1f8fcc80
Formbook
9b9b8fda0efdc14380cc3da53380812bfe152a4a05de99aa9159f167066f9ff0
Formbook
a84fdf2c7dbfe8009f998273a7ff9e51c440ea3daa1b93d5b29b3a8e71b35a25
Formbook
bbc5503e9511c3d9a4116c7c0189bcf33a0189cf61e02bc9f605b9beab320e91
Formbook
de12f96f01168f625165bda83f4d556d00d6c473e61aa5c6f424aed07ae9cc04
Formbook
f559645f8b05d3c7499f23fd4f6f8f74dad45c3b2501266db7c36b67c8e80e7a
Formbook
fff77f3852a66a56bad4ec5bc1c1bc2afb0b08b8ea65393384a1ee6917dcb355
Formbook
+ 10'460 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hxn2 loader persistence rat suricata
Link:
https://tria.ge/reports/220330-ngjzysgadr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
ed9c55c5d42606ecd2db947342785c5bee44bbe2eb294a610bb26eea9364bc8e
MD5 hash:
131425a85a61a4444c7d47e0f02acef3
SHA1 hash:
da931512d51f0c1856876baf30c71b92993b5d62
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/87ec1f2d-a4fe-4264-a645-6c4e80185822/
Parent samples :
144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa
e735b2b23f835ce6ed2ce0f8404afb8a4d954d7a3533700aa9a0108029ad4215
SH256 hash:
a128f52dc4c68aabd676d912a20df4795d67b03b051dee4a78ed07cb12b16fc3
MD5 hash:
fd26cde0dacc67253f90963a8ff4c0d6
SHA1 hash:
114dbf7d786af91f7905507b9b6dd04f363a5f44
Link:
https://www.unpac.me/results/87ec1f2d-a4fe-4264-a645-6c4e80185822/
SH256 hash:
144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa
MD5 hash:
b4536ff04a41cb627463ed157b9c7521
SHA1 hash:
db2eaf0d8a8a9f2856d9a9b0cc9ae7c9aaf35c86
Link:
https://www.unpac.me/results/87ec1f2d-a4fe-4264-a645-6c4e80185822/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/144d8b9e77f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/259642/

Comments