MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
SHA3-384 hash: 94d42359cd81ed7205a6cce00bb65796710730214bcbdd4c40fa786b9f7689d97430a1c2608421cf50a1422a4a2039f8
SHA1 hash: 0d5b0939d3173b564e70b75d4602f6b6a98c1d62
MD5 hash: d87e98edbd86dd094aae5a8af277eae3
humanhash: may-monkey-item-bravo
File name:d87e98edbd86dd094aae5a8af277eae3
Download: download sample
Signature Formbook
Create hunting rule
File size:345'395 bytes
First seen:2022-02-28 09:37:01 UTC
Last seen:2022-02-28 11:48:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiQNPQNTpm07PCQkJegorkj3ZtA6osSzZDGei81wCFVkQS1+eNOhTu3mz2wUj62:uQN57aPJbosyCP81E+S+T9Cwg6UG6
Threatray 13'813 similar samples on MalwareBazaar
TLSH T186742363B7D08E97D1A0583A54726B7FE8BD6284D16609BF43EC5F083962B47CA05CB3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245268/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.7473.1396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/621c97ccdfdfa8501c6aa5cb/reports/9f559319-745f-4c46-92aa-fad5870d6e04/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/156e93e0-ab5f-477f-bd26-ca1bae0cf3b5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/947256
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 579735 Sample: ClePJrdvp6 Startdate: 28/02/2022 Architecture: WINDOWS Score: 100 33 store-images.s-microsoft.com 2->33 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 3 other signatures 2->49 11 ClePJrdvp6.exe 18 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\evpzwetlr.exe, PE32 11->31 dropped 14 evpzwetlr.exe 11->14         started        process6 signatures7 55 Tries to detect virtualization through RDTSC time measurements 14->55 17 evpzwetlr.exe 14->17         started        process8 signatures9 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Sample uses process hollowing technique 17->39 41 Queues an APC in another process (thread injection) 17->41 20 msiexec.exe 17->20         started        23 explorer.exe 17->23 injected process10 signatures11 51 Modifies the context of a thread in another process (thread injection) 20->51 53 Maps a DLL or memory area into another process 20->53 25 cmd.exe 1 20->25         started        27 explorer.exe 1 126 20->27         started        process12 process13 29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 01:22:51 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05af1ccc6696a83c58e46a5347b40959329af79869e9747399befbe97c85104b
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
19cf4ce7f3aa0cb41dae8a27aa4421dce752bb3e083e8e0daf138bdfc113c7e6
Formbook
230f53c0367ccdf77ff1f665ea66fcb2e6bb18c999b798980d8e0c9c19421eb3
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
3ec75c58983e9fa89e37b733d2dc7d3ae966b52066bcb8662cd47277fcae1aa0
Formbook
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
Formbook
705bf99df489a6945a540499bc8c6d7b7564d9a255629e326013d4a85bb77a78
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a
Formbook
+ 13'803 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rzwo loader rat suricata
Link:
https://tria.ge/reports/220228-llgz2sfcek/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
c6ceb3bbeb4b77c856253bee34ae3e19a235310111e828ee20ca3b879599e230
MD5 hash:
e39f92faf073501abbb52cc23af609fd
SHA1 hash:
3fd13d5c9e9df6cee41048284ec6fe99af7bfc16
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c5cbf737-5c86-4585-97e3-d7d4aec05bc0/
Parent samples :
1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478
SH256 hash:
9a5cf02d54fe8b1082dd97407a2284a64b143c976e1b0239e0240dbd735ff3b5
MD5 hash:
9411a707b7131e0064395e14d8e21843
SHA1 hash:
ac5ccf96cfd564a2f84c5503b4c9d3b30d3564fb
Link:
https://www.unpac.me/results/c5cbf737-5c86-4585-97e3-d7d4aec05bc0/
SH256 hash:
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
MD5 hash:
d87e98edbd86dd094aae5a8af277eae3
SHA1 hash:
0d5b0939d3173b564e70b75d4602f6b6a98c1d62
Link:
https://www.unpac.me/results/c5cbf737-5c86-4585-97e3-d7d4aec05bc0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/190845482673/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2066089/
Cape
Cape
https://www.capesandbox.com/analysis/245268/

Comments


Avatar
zbet commented on 2022-02-28 09:37:02 UTC

url : hxxp://103.156.91.63/space360/vbc.exe