MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab
SHA3-384 hash:	3abfd588162c1057bf865767b6e274bc56ac44a189140d6bb3ae296648ffc73080496e54811eb2ca0bfe10204d225944
SHA1 hash:	508369a537e7db8b44505f2d2d55f57ddefad947
MD5 hash:	7f67485d2d0a280dce0e66d24fa97972
humanhash:	alanine-johnny-diet-west
File name:	7f67485d2d0a280dce0e66d24fa97972.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	935'936 bytes
First seen:	2021-01-20 14:45:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:eOTOdFkHCo42Y1e0Lw8LInh43Qzm70jZUp8rkbsEX7ftItY2UHPjknsVQISy9zku:eOAFkigYUGw+InaQKMZEnFLVItoHPd9
Threatray	3'589 similar samples on MalwareBazaar
TLSH	A9155CAE324072DFC967CD36D9981C24EBA0B477930BD247946315EC9A4D99BEF240F2
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7f67485d2d0a280dce0e66d24fa97972.exe

Verdict:

Suspicious activity

Analysis date:

2021-01-20 16:11:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1b6c658c-4c58-4e94-a989-76d89e2918d9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/113137/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/586236

Signature

Antivirus detection for URL or domain

Binary contains a suspicious time stamp

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab/

Threat name:

ByteCode-MSIL.Trojan.Ymacco

Status:

Malicious

First seen:

2021-01-20 14:46:06 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dyh776weuedxiufpltiiifgulqtvmbon5xl2ge4kqy5zn2rwesvq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3571d3ca49f3c593d4b34f2d7bd9aa8ab2b0bfb99111a2a2561a0d25d494fa2f

Formbook

750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec

Formbook

7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af

Formbook

7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55

Formbook

84cb3c9404d520f05f868b550697de2803c587b02fc156764c953a12a227e4d7

Formbook

b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55

Formbook

ba2963b7da8a1df3e40441825654972ce2a5903c9f27bc081e42795c296c80eb

Formbook

bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae

Formbook

ed035bd3cdab82c607f296fd966c4064f0f04c9011d9e7744ca3e7739ed7269b

Formbook

+ 3'579 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210120-at4zvnfja2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.rizrvd.com/bw82/

Unpacked files

SH256 hash:

0741117b2fafba8a3a8ae382fc10786bb2529a8432ce0577c6935e8526ddac5b

MD5 hash:

68636a5ff4233a2c2eb38ff504bc0433

SHA1 hash:

de4bb3f7abdfdcb03af952cae091d98ed8ed6f71

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/d237a0b1-fbf6-4504-bcf1-b7e4f3156412/

Parent samples :

0110a52c51d060db8c4b9f3d654340fdf954bd7ceb47956e235ebe5921a57df4
7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55
38a0bf5c98a42c67d5612b0b377c51725caedc64b19f9c4d20f0ebc6fe972c0d
cd1cdd19d3500f9947de10caa28d3fad75bc207faa10b7f9f7aab88c720dea1b
8ec223664a9b73308e2fdd73bcaa525d4a152a0b9ab799889539d98efcc07c09
bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae
6c953b93cf75e79db29a1ae424ee8da08962cbda1ec84a49281cccb51013594b
9335b040e7823155fcde32d1cfd5268db42e2f9c191e2144269800adb2a820d8
4924681f7988a37fccc12475b5cf9fa0013fb00d1a8da2dfc4c4e25236b35d7d
3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2
ba2963b7da8a1df3e40441825654972ce2a5903c9f27bc081e42795c296c80eb
b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55
204cd2ef2cb64300f46ba8ce7dae3507b6861cd9225e3bae6fc2303360585ef4
38f7338384d3c8576e23aa876f7819c1f201e027bb586900aca0411ea665f07a
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494
ed035bd3cdab82c607f296fd966c4064f0f04c9011d9e7744ca3e7739ed7269b
27196c6c79c8cdb02b4ee6b1028ec11aa38bbeea6d94d956a22ab1228c65b733
1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab
31f4d8bb8797649e9de2f8adc7b7e679775784d33d686d7c76429c4fe97a7c07
b073ef66058998fc6ee7c61fb6eeaffe28a816f36dda995edcd1a6e893deedd3
73acf08c9a3ee5b8208b8e21f1c88d9820b6bfc58ddbf1d7eee2029b7626d271
40acc1cfe1986fee292469e21c175d68bed0502f46af424d0cd8ec42e0ead72d
2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f
d63c5bbfea14e5cbfc013e0df1c94ff9eb0ea87d95bcd3fb8ff9047cd58dc8aa
9ba1b16e84be57d419e0a19248f13f186bcf9a2d98e97936e16d1fceb0357b97
7dfb2d60095157148fcb26bdfc4270ce6d5e3678c60628b8f683c4e1adbd8043
ebbcc767acc5337309a6f0770c52236b131cbcffb3e843e4bf132489cb2001cc
5d85f149c5450263866d98fadff08504e1a05837cdead5792f291303dfa3438d
0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f
958cedb2b814c4f1e6c4cb514d5b3eff4a816777baa9533f67f3106b4e18920a
8a432739f45c70d580007c9e4586d826507821bd978c192a5f99c51e85444e6c
e2f640f8cdc89a54ecd8d1a0c8d4b8a4d1e6560f086fd82d05e0010d95a1d9e9
2389280eef390b0fc6e10447d91e265c3c9fb0de749707a8aeeb1a72de2269c4

SH256 hash:

658ba6aef2b52911c0a79df3300b3a6b34feab1b1f77c6b21630fd827c150e8e

MD5 hash:

a79544f4019313ebf6e7bf4eb898c7cf

SHA1 hash:

ba7437709e2123cb70bc292280e8a0b4e5f11c0a

Link:

https://www.unpac.me/results/d237a0b1-fbf6-4504-bcf1-b7e4f3156412/

SH256 hash:

ee089a1b8055d362f0c2073363a11d0dfd8c89f1fb74a45e97facdc179c38368

MD5 hash:

cf22f8df3b2d4df40ddd5a0c2dd52d35

SHA1 hash:

9d946a80536cb4be20324d534fc822fd4ca339be

Link:

https://www.unpac.me/results/d237a0b1-fbf6-4504-bcf1-b7e4f3156412/

SH256 hash:

d0999589f7adef68ec199111e28b4da9427204b9e6f6905d43cc8c1be705d9d0

MD5 hash:

0c532cb1872435b4e1ed506430fd09ac

SHA1 hash:

619f26f56505911a645c7b9089b884a2c0ba7b57

Link:

https://www.unpac.me/results/d237a0b1-fbf6-4504-bcf1-b7e4f3156412/

SH256 hash:

1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab

MD5 hash:

7f67485d2d0a280dce0e66d24fa97972

SHA1 hash:

508369a537e7db8b44505f2d2d55f57ddefad947

Link:

https://www.unpac.me/results/d237a0b1-fbf6-4504-bcf1-b7e4f3156412/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/971752/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/113137/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample