MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690
SHA3-384 hash:	5f939c5e5e5a78236491befcec5cdb8495178e20c9fe88338b2f8042d5ebd4de3b299aabd2cc83e3b0515b79dd9e7a5c
SHA1 hash:	b09c4b8d605fff91d1f31c636953f5886198fc34
MD5 hash:	06f6afea33ee23ebaefa83b591237da2
humanhash:	mountain-lima-nitrogen-charlie
File name:	SecuriteInfo.com.Trojan.GenericKDZ.72694.27004.19677
Download:	download sample
Signature	Formbook Create hunting rule
File size:	300'032 bytes
First seen:	2021-01-26 11:05:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8f2b089a16b59299cd24d450810f3320 (2 x Formbook)
ssdeep	6144:3C3LzLQ+Cz9RN8K/0ZwszrZAK3FMWuJPahjr5OSlT:SzlChHMZdzrZ93FQJPET
Threatray	3'639 similar samples on MalwareBazaar
TLSH	9D54CF117AC0C033D11361764A11C3B18A2EB9717B7A6ACB7BC91AB81F757D2DB3630A
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.GenericKDZ.72694.27004.19677

Verdict:

Suspicious activity

Analysis date:

2021-01-26 11:10:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/16c2dc3e-3f85-4161-a962-f6f126a668ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/113868/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.72694.27004.19677.UNOFFICIAL

PUA.Win.Downloader.Firseria-6804617-0

PUA.Win.Adware.Firseria-6840971-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/590504

Signature

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-01-26 07:27:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

3ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18

Formbook

5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122

Formbook

86879b01844ab067722fd2ca12bf5a666136348ca9a7f72a33ca42d9707e84d0

Formbook

9606fd4c72596ac59b67b738dcb693daff05b981fcd98f56a481dbb749d3b78f

Formbook

9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1

Formbook

bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b

Formbook

ceb2632fac30996ac58a50455d968873321f7a18972db02e9535b485a3b0e2f7

Formbook

d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf

Formbook

e2d83de235b73fa4366db562daf7a16884eb632bc00ac8d12d371bdc7a2d1c2f

Formbook

+ 3'629 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210126-bhxwwdmyax/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.douzhuan168.com/o8na/

Unpacked files

SH256 hash:

765705665c2b25a4f660c1a3fcb7acbd5b32a8385b05efbe2005979e11d934a3

MD5 hash:

1f2c5fafe1a902c6a225dbd5846f4d23

SHA1 hash:

b7eee626e318ac50652604ee86230fb3dd46c53d

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/cca4ff4e-2fa1-4584-9a6d-b5c234fd093c/

Parent samples :

3ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690
17feaeb1ed83aa5acfcf5b6807ad231530fb44c2e7f5a69552b68ca4fe14b941
4f458d13d054cb8e9cb734d6929fe65b59b2a25e2c460af1fc788ca490118a85

SH256 hash:

17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690

MD5 hash:

06f6afea33ee23ebaefa83b591237da2

SHA1 hash:

b09c4b8d605fff91d1f31c636953f5886198fc34

Link:

https://www.unpac.me/results/cca4ff4e-2fa1-4584-9a6d-b5c234fd093c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/978586/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/113868/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample