MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478
SHA3-384 hash: 379209a8020f1a1cd0c418c1c74fd5091d82a4087e547728fde4c0395aca5879ca9966f94077d26df52c8cdadbb9ed5c
SHA1 hash: 452689641b92228e6a9368706f5fe7f47bbce729
MD5 hash: d2399cda7963f90c6b21468412300111
humanhash: september-double-delta-jupiter
File name:d2399cda7963f90c6b21468412300111
Download: download sample
Signature Formbook
Create hunting rule
File size:344'383 bytes
First seen:2022-03-02 14:02:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiaVqvVAdYTlHag9oONmdFAn9bzPt0y4Kpu/eE3GzWHEzVx+04YRVAajX4AWsBq:YdKJHbzF0oummEaE+gX4/sB3vy
Threatray 13'928 similar samples on MalwareBazaar
TLSH T18874230FAA504DB3EAA30D714CB2977AB779964F0175DB230B305F78AC4A5A356232D3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CBC549CDB87795FB9CC7262A135435B6CE7A134D
Verdict:
Malicious activity
Analysis date:
2022-03-02 12:56:43 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/9b6af7f3-f139-4fa7-9f68-b2a94b6c2b69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246324/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.1.1757.21969.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/621f78e2b94fb38cb438fa9d/reports/a744bc03-f627-4741-8106-ea0a9565a22a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad218e61-cc45-46e2-9a1e-c2e961a974af
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/949147
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 14:03:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejhwesst5mocbhi7zelbzoozcrshnclaozpgjbk4z5kh2ddeyr4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05af1ccc6696a83c58e46a5347b40959329af79869e9747399befbe97c85104b
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
Formbook
230f53c0367ccdf77ff1f665ea66fcb2e6bb18c999b798980d8e0c9c19421eb3
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
Formbook
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
Formbook
8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a
Formbook
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
Formbook
+ 13'918 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rzwo loader rat
Link:
https://tria.ge/reports/220302-rb6tbafbb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
8329048c9f4337db476e54aa1074af7332f89128821bd280f767f899a0990234
MD5 hash:
f01e88dc6ac7967d0efa864850441201
SHA1 hash:
e488e1150133339af00cba771297767760484501
Link:
https://www.unpac.me/results/4d11112d-8383-43d6-b3d8-2134fb8d6900/
SH256 hash:
c6ceb3bbeb4b77c856253bee34ae3e19a235310111e828ee20ca3b879599e230
MD5 hash:
e39f92faf073501abbb52cc23af609fd
SHA1 hash:
3fd13d5c9e9df6cee41048284ec6fe99af7bfc16
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d11112d-8383-43d6-b3d8-2134fb8d6900/
Parent samples :
1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478
SH256 hash:
224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478
MD5 hash:
d2399cda7963f90c6b21468412300111
SHA1 hash:
452689641b92228e6a9368706f5fe7f47bbce729
Link:
https://www.unpac.me/results/4d11112d-8383-43d6-b3d8-2134fb8d6900/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/224f624a53eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2070828/
Cape
Cape
https://www.capesandbox.com/analysis/246324/

Comments


Avatar
zbet commented on 2022-03-02 14:02:10 UTC

url : hxxp://103.156.91.63/__cloud88save/vbc.exe