MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d7800d50de8019f5f30a281730f4a77a39b14bff8bc385a302508eed2cfa5be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d7800d50de8019f5f30a281730f4a77a39b14bff8bc385a302508eed2cfa5be
SHA3-384 hash: 6e1cb94ed627b7e5de3435e1566f4eb9b57505c61ce8a83b6d14a868c04e4436cd77bf64f4c2c2b4186b943456804a8c
SHA1 hash: d54ad90c4542f8de1eef0cfdb427decb3eada630
MD5 hash: 6803bb0ea46eca1dc973c636efd058fb
humanhash: snake-august-quebec-william
File name:6803bb0ea46eca1dc973c636efd058fb
Download: download sample
Signature Formbook
Create hunting rule
File size:933'888 bytes
First seen:2021-11-05 16:20:45 UTC
Last seen:2021-11-05 22:04:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56b4814557e2e2739d9a5efb22e955d4 (3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:zvY8dhGipM4Yld9SyATMUCAyo5qTThHokUflI+5MWBnsQfnEPV:T9b3O4YldFATMUR5eIv5PBlfK
TLSH T1E2156C529D4004F2F1631338796A9BB9ED35FE202A2C54461EBA3E4E4EF72813739D5B
File icon (PE):PE icon
dhash icon 697110152b2b1530 (9 x RemcosRAT, 6 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202790/
Detection(s):
SecuriteInfo.com.Fareit-FCVN6803BB0EA46E.14653.31432.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit keylogger remcos
Link:
https://www.filescan.io/uploads/618559f00621d706aead2f5f/reports/cdca2581-1b81-4a56-a5d8-8bfdf3cd192d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ef2493c6-2c9a-4302-96b2-04ad8a260db8
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884189
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 516632 Sample: pO3zAA9lwc Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 46 www.warlordqlxhgs.online 2->46 48 www.certifiedva.net 2->48 50 ghs.googlehosted.com 2->50 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 6 other signatures 2->90 11 pO3zAA9lwc.exe 1 18 2->11         started        signatures3 process4 dnsIp5 70 onedrive.live.com 11->70 72 mgaqrw.am.files.1drv.com 11->72 74 am-files.fe.1drv.com 11->74 44 C:\Users\Public\Libraries\...\Dohtdouw.exe, PE32 11->44 dropped 122 Writes to foreign memory regions 11->122 124 Allocates memory in foreign processes 11->124 126 Creates a thread in another existing process (thread injection) 11->126 128 Injects a PE file into a foreign processes 11->128 16 DpiScaling.exe 11->16         started        file6 signatures7 process8 signatures9 76 Modifies the context of a thread in another process (thread injection) 16->76 78 Maps a DLL or memory area into another process 16->78 80 Sample uses process hollowing technique 16->80 82 2 other signatures 16->82 19 explorer.exe 4 2 16->19 injected 23 msiexec.exe 16->23         started        process10 dnsIp11 52 genuinemerchant.com 192.185.16.44, 49823, 80 UNIFIEDLAYER-AS-1US United States 19->52 54 www.thewitchandcauldron.com 19->54 56 9 other IPs or domains 19->56 100 System process connects to network (likely due to code injection or exploit) 19->100 102 Performs DNS queries to domains with low reputation 19->102 25 Dohtdouw.exe 14 19->25         started        29 Dohtdouw.exe 17 19->29         started        31 cmd.exe 19->31         started        33 WWAHost.exe 19->33         started        signatures12 process13 dnsIp14 58 onedrive.live.com 25->58 60 mgaqrw.am.files.1drv.com 25->60 62 am-files.fe.1drv.com 25->62 104 Antivirus detection for dropped file 25->104 106 Multi AV Scanner detection for dropped file 25->106 108 Writes to foreign memory regions 25->108 35 mobsync.exe 25->35         started        64 onedrive.live.com 29->64 66 mgaqrw.am.files.1drv.com 29->66 68 am-files.fe.1drv.com 29->68 110 Allocates memory in foreign processes 29->110 112 Creates a thread in another existing process (thread injection) 29->112 114 Injects a PE file into a foreign processes 29->114 38 logagent.exe 29->38         started        116 Modifies the context of a thread in another process (thread injection) 31->116 118 Maps a DLL or memory area into another process 31->118 120 Tries to detect virtualization through RDTSC time measurements 31->120 40 cmd.exe 1 31->40         started        signatures15 process16 signatures17 92 Modifies the context of a thread in another process (thread injection) 35->92 94 Maps a DLL or memory area into another process 35->94 96 Sample uses process hollowing technique 35->96 98 Tries to detect virtualization through RDTSC time measurements 38->98 42 conhost.exe 40->42         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d7800d50de8019f5f30a281730f4a77a39b14bff8bc385a302508eed2cfa5be/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-11-05 13:49:22 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:s9m3 loader persistence rat
Link:
https://tria.ge/reports/211105-ttm52accc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.445221.com/s9m3/
Unpacked files
SH256 hash:
b54acef9838cff6393d79dda537a22d53898471f564b788cb435f9eb9c14260a
MD5 hash:
30ce6fdc8056eb47d2d9d08479cd1468
SHA1 hash:
1eb253077018219fead30b06acf756605d92dfeb
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/e64b8aba-b626-4cfd-83f8-9d1977f899b4/
Parent samples :
8406a7711b994e88a676af2eb5c9ec007dc91004e440e866d0c4bda8dd6e04ab
076b28855c1f83d5ee34627d5cd6991840e32767415837fd950617a0486b19cb
1cdcb4a583816fc3478e46c2db3d523332c4e88b0335501e31a6a0bf7084871f
6aece77e910abb363eae0ce97965198b89685a37414472be0320c88a9f5a44b3
2ca64cfb392dd47b94764fd043ef8aa654cda9a022668d94d99725d197fc3da6
0892f3b3de736822be2fa4913317b3926526e3289f9cf05a4015e5f9f01bef91
bb6ccf663f9bdaa2bcc49e79c1e94b06a1d575c3132767eb5b0116f93b881cbd
5b1f147d44d76bb57854bab35c1ed7c5b20d85868c9727c01f4c6ca826bbe6dd
a4c57d9643f299829a1239d5142a1aa19f89cc75de74501f656f03df0150c8ea
f4097221e19342e5b91103161eb7aaec277ff47ea694a86b92f7574be7959cc7
e6d92da520f7537c283b5a1424651263a2098a4b97e7f3b655cabed43b15015b
408d06eb0f8df445f72b771e26fac033f6a71f867d1bb5a1f78320e99b30d331
84e88e073e0fba18a2b05e25bb904a26cdb9f800ef7c6d39d85daacd88c56b76
1d7800d50de8019f5f30a281730f4a77a39b14bff8bc385a302508eed2cfa5be
85ba079f07da66a80dee82f93da2a0cd002d1cbd00bd285011288b04340a8d52
SH256 hash:
fbe655215047e80d159397743c259cc9f70d8f784c5ffd740f8f954cb837c8a7
MD5 hash:
9218160976bd8327e5ea2e92b613174a
SHA1 hash:
be9e90423c95800383bf6e9d06daaaa4ff89fa8c
Link:
https://www.unpac.me/results/e64b8aba-b626-4cfd-83f8-9d1977f899b4/
SH256 hash:
19c79953429d962eae3cb164c471cdbca1a3aa605ddb7d5fab3e940abf6b713e
MD5 hash:
a518a5d0006f1f692af082c713c04fa3
SHA1 hash:
fe10797c50f4cc900b97e6327ecb56070250f74d
Link:
https://www.unpac.me/results/e64b8aba-b626-4cfd-83f8-9d1977f899b4/
SH256 hash:
1d7800d50de8019f5f30a281730f4a77a39b14bff8bc385a302508eed2cfa5be
MD5 hash:
6803bb0ea46eca1dc973c636efd058fb
SHA1 hash:
d54ad90c4542f8de1eef0cfdb427decb3eada630
Link:
https://www.unpac.me/results/e64b8aba-b626-4cfd-83f8-9d1977f899b4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1d7800d50de8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d7800d50de8019f5f30a281730f4a77a39b14bff8bc385a302508eed2cfa5be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1d7800d50de8019f5f30a281730f4a77a39b14bff8bc385a302508eed2cfa5be

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1754705/
Cape
Cape
https://www.capesandbox.com/analysis/202790/

Comments


Avatar
zbet commented on 2021-11-05 16:20:46 UTC

url : hxxp://192.3.121.164/22022/vbc.exe