MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ab52bac5850518b5e948ea170b9d5b9f7e2aca962e4ed99d171085cdf970e19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	1ab52bac5850518b5e948ea170b9d5b9f7e2aca962e4ed99d171085cdf970e19
SHA3-384 hash:	35d04abe93ea9f13afecf38d1f3af181a0a84cf22cab27c4115c3faa35a0bc3f4337ba374d1ad5a6e7004c644adf0df4
SHA1 hash:	586fc929e8fe1de7f2593ba67c1e65404948278a
MD5 hash:	31627e0d4263b5339a38bc7f46464543
humanhash:	wyoming-equal-twelve-papa
File name:	EXPORTER_INFORMATION_340_29464003.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	700'416 bytes
First seen:	2021-08-30 14:14:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f781791341b79e2aa49e6187b296c562 (3 x Formbook, 1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:9bSAuiSYEczIDyTFiPKu5mHNxMyqcLHazX:9bS78z7PuCfHqRD
Threatray	8'767 similar samples on MalwareBazaar
TLSH	T1D3E45CFDAD9C9032D2721538AC2B57754A247E467B78AC6366E03D0FF7B83E4281A153
dhash icon	f0c0db6c6a7af0fc (24 x Formbook, 6 x QuasarRAT, 5 x RemcosRAT)
Reporter	malwarelabnet
Tags:	exe FormBook modiloader xloader

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

EXPORTER_INFORMATION_340_29464003.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-30 14:18:28 UTC

Tags:

installer

Link:

https://app.any.run/tasks/8ff29f9b-ee24-4d65-b533-bec90abcbaeb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/183805/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.Heur3.LPT.QGW@aK80jZiib.14884.8957.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Connection attempt

Sending a custom TCP request

Launching a process

Sending a UDP request

Launching cmd.exe command interpreter

Sending an HTTP GET request

Unauthorized injection to a system process

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eeb86959-5f2f-4864-9a8f-8da19c5d538d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/841641

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject threads in other processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ab52bac5850518b5e948ea170b9d5b9f7e2aca962e4ed99d171085cdf970e19/

Threat name:

Win32.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2021-08-30 14:15:07 UTC

AV detection:

17 of 46 (36.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dk2sxlcykbiywxuur2qxboovxh36flfjmlso3goroeefzx4xbymq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1ccdc34a2258984fb0df40dd979f71d4c11bce12cb6e840e90fbd9281254ade6

Formbook

3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632

Formbook

4c10e02c77070c0558030d3e6ae93d73fb02ef21665eab6359f8a1b17fde0b9a

Formbook

660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f

Formbook

7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a

Formbook

a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26

Formbook

a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db

Formbook

aa600ea695abd3d2d6d445c6d2b07d3944cfbbf77f0850411ac426d9d6c037c2

Formbook

dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609

Formbook

+ 8'757 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:qcrn loader rat

Link:

https://tria.ge/reports/210830-1xrw3xf7gn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.kumarsceramics.com/qcrn/

Unpacked files

SH256 hash:

4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744

MD5 hash:

aa23dee2c34813d67fe9c67ec784782a

SHA1 hash:

10b2e7af7cb9d6f852e6d607875a8c9613538930

Link:

https://www.unpac.me/results/67524eb8-1ccc-42e9-b19f-f0f33fb6c95f/

SH256 hash:

1ab52bac5850518b5e948ea170b9d5b9f7e2aca962e4ed99d171085cdf970e19

MD5 hash:

31627e0d4263b5339a38bc7f46464543

SHA1 hash:

586fc929e8fe1de7f2593ba67c1e65404948278a

Link:

https://www.unpac.me/results/67524eb8-1ccc-42e9-b19f-f0f33fb6c95f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1ab52bac5850/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ab52bac5850518b5e948ea170b9d5b9f7e2aca962e4ed99d171085cdf970e19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/183805/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample