MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6
SHA3-384 hash:	4a3fde201239eca633a6dc35bf606318e2545f4706108c49ac660943f4ca13cb49793b94ca43f8371704bd475cea60b6
SHA1 hash:	9c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec
MD5 hash:	c5cfef9b7b6b39513f276093d7ef2157
humanhash:	quebec-lamp-batman-white
File name:	c5cfef9b7b6b39513f276093d7ef2157.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	887'296 bytes
First seen:	2021-11-03 19:19:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3513b15d2020b37cf2b66a761c75ed57 (3 x RemcosRAT, 1 x Formbook, 1 x BitRAT)
ssdeep	12288:WxBZN9xp6/Yo9sSbJ+RLbKvOS9cr9BE6ZyxDcC6CoueU:WF/C/N+1KWS49xy
TLSH	T11C156C65F1849632D41A3FF8CE879BFD14D5BF83692064166FA83F06CE35BA93426423
File icon (PE):
dhash icon	78f6b6aa8ed8e8b4 (11 x RemcosRAT, 11 x Formbook, 1 x BitRAT)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c5cfef9b7b6b39513f276093d7ef2157.exe

Verdict:

Malicious activity

Analysis date:

2021-11-03 20:04:16 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/fe52fffc-116c-4473-8e9b-5ffa2c91bd74

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/202001/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader43.55704.1799.2319.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/6182e0e9bf51178dbe4d6700/reports/da5d451c-c911-46b1-afc7-42a6e34fa752/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/759fe827-6d95-4770-8f3a-587621b05f3c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/882670

Signature

Found detection on Joe Sandbox Cloud Basic with higher score

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6/

Threat name:

Win32.Trojan.DelfInject

Status:

Malicious

First seen:

2021-11-03 10:55:09 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ekuuhjocrsabmpczwsscsiyfbrnpo77jzsizv3tndkvvnhlijxda._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:rqan loader persistence rat

Link:

https://tria.ge/reports/211103-x17d2aeeh9/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.cardboutiqueapp.com/rqan/

Unpacked files

SH256 hash:

70bd3e01b06e54d3623976213eedfe5ecdd635bc5432fc769f3d469a3d7321b3

MD5 hash:

5f784b2a0e9e31dcd2dcb8a42a76086c

SHA1 hash:

b165b8a2d8d5586cc2987f5a3af659ccfa662df8

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/0332e546-4442-41b3-abe0-961f4064173c/

Parent samples :

5319f3410910762ce2ce6846ee27fffcb22673693874bad5844510b627d0f715
8092efe07b8ea30e06c824d673824d1bdc867d6dc66ac83024256ca8620b2cc9
680c9cb7cec2aa66bb7b74385f8e31d2eb6f1894c0d1d1d9a44056da6c0234e1
5791b27e20fa666be3f44f75942070fda981fc2fadaa4e6d410376a41bde0d89
22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6
3e8b88231d978979494ad100ee0b578e89c8dc354b23f3b1caf9d0fd86a37765
1e1b82105fd64b23e2a37614fa59ff29c6bb675c1fbc8c43b0b56fe960d0080b
ee512919a9cfc596c316713b5456687ef0f53e53bd8b3a84ee4fb4792f8ac02e

SH256 hash:

22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6

MD5 hash:

c5cfef9b7b6b39513f276093d7ef2157

SHA1 hash:

9c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec

Link:

https://www.unpac.me/results/0332e546-4442-41b3-abe0-961f4064173c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time