MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8
SHA3-384 hash: 811dc358de1eaf0b3775585c39686e89222ee596b821358cfcb7f5dd838d2ff3ab9a1a9c9c013f1bf1d8a0cd1e85f3ec
SHA1 hash: aa97cd6186ea6aeb50d52c6690e3aad374c6b555
MD5 hash: 7a8631acfa6ee2a0aca399d09e5ba0b1
humanhash: vegan-jig-asparagus-happy
File name:7a8631acfa6ee2a0aca399d09e5ba0b1
Download: download sample
Signature Formbook
Create hunting rule
File size:298'492 bytes
First seen:2022-02-16 09:38:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owbQBHLz3YsUiY2M6dx8VEt5t2UMFo1nueuXJLzbp1vTn:nQFLTYSY2jaEtCq1hYLPbj
Threatray 9'363 similar samples on MalwareBazaar
TLSH T12C54121DA0C7C0B3DF054A7562F7AB17E3F6F1052252A39367940FAE6A6A38B391C053
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241864/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620cc639a2660f3bb9e44ec9/reports/e2b36455-41e3-4962-bba6-b95e94b8cad9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d38a242e-95cf-4819-b786-3a56b57e6358
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/940690
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573168 Sample: vZfduPu4hR Startdate: 16/02/2022 Architecture: WINDOWS Score: 88 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus detection for URL or domain 2->20 22 4 other signatures 2->22 7 vZfduPu4hR.exe 19 2->7         started        process3 file4 14 C:\Users\user\AppData\Local\Temp\sileax.exe, PE32 7->14 dropped 10 sileax.exe 7->10         started        process5 process6 12 sileax.exe 10->12         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 09:42:18 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3dljqowc3hua3mrposl3k34ep52e5jlxyyi2dzed2y7drlze64a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0f46e1c5fdbd54458ef74a762dcdf4e9a9c6caabc843025422ba903236348dfb
Formbook
280a181eae2d790e6992653b19b216b9407a948f42d32db3ad78e81660ff1f8c
Formbook
31168981af16e0fc209774a91e04e5aaf622cacbed12e970b7a35db0705174d6
Formbook
5de06778dd414ee2cc418f089914bb7a656ccf854a30a004d286599cda4c4013
Formbook
6893bbff4695dce3754071670e11d7e7d310ad196b57cdb41cd8c3cd7ea3d8f3
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
e8e0f125d909bafae93f469222f2cfbcb30585e03825d8442c8934a92fdd6c89
Formbook
fa3b721595b9e5571bcfd42767aa563f6e363a3fff9e9cdbfb525d0f28e62eb7
Formbook
ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628
Formbook
+ 9'353 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nazb loader rat
Link:
https://tria.ge/reports/220216-lmma6abed9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
4bee8651548f2e8fe11ac5bd9a73d1aa019201926d545f1b1a14f6e3234c0417
MD5 hash:
00ce39661f777c6a4b9388058d979709
SHA1 hash:
5a886b6426ce2a075f205ffba84e43effa9d6a6c
Link:
https://www.unpac.me/results/b1a02a4c-9f0d-45a8-a68f-56c44e9acff0/
SH256 hash:
46cefb82144befecad954666b8dad593bc57c84009ce8642f7edb15a36436803
MD5 hash:
730577b496a5d7f00958c13e92143cea
SHA1 hash:
70ac754c76726caabf442ffd1f4ee874388ed028
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b1a02a4c-9f0d-45a8-a68f-56c44e9acff0/
Parent samples :
5cfd3b8ba7a3da6c08222b824d569148499ebfd98ae94b991157bda8f78ab515
16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8
0845f5cac8b3d88214e3ce7de031261deebad1751e592d7221c65b7724c56f2b
6ff46a14b9b9ee749f6d723246afa1f2c82e85433de7c243d9b66046fa25fa42
SH256 hash:
16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8
MD5 hash:
7a8631acfa6ee2a0aca399d09e5ba0b1
SHA1 hash:
aa97cd6186ea6aeb50d52c6690e3aad374c6b555
Link:
https://www.unpac.me/results/b1a02a4c-9f0d-45a8-a68f-56c44e9acff0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/16c6b4c1d616/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2045123/
Cape
Cape
https://www.capesandbox.com/analysis/241864/

Comments


Avatar
zbet commented on 2022-02-16 09:38:10 UTC

url : hxxp://103.167.92.57/ProgramFile/vbc.exe