MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 231a3fbd49c3daf40fef287f590ab7aa161ca51b09ecca28f5cdd92d4c9004ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	231a3fbd49c3daf40fef287f590ab7aa161ca51b09ecca28f5cdd92d4c9004ab
SHA3-384 hash:	d6e842c151d7d266576130945095a75d302be489667ade030588956a29e3fa9e1de456cad0f4bb323d7166669b89b059
SHA1 hash:	c435d13f3a5fe39b96c37a47b04a001a08d6b5fe
MD5 hash:	a497c027535b445ca14022705484af5f
humanhash:	carbon-wolfram-princess-salami
File name:	a497c027535b445ca14022705484af5f.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	247'896 bytes
First seen:	2022-02-08 08:17:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:ows6QPZhBefw3chPgQotzwIP4XEHzozBcNufG5scjY1Tn:3mhBdgOsKCET6EAGpYp
Threatray	13'149 similar samples on MalwareBazaar
TLSH	T1DB3412BD50C4E4ABF6C69F32187BCB17E7F7A3121E25891B9FA44D5A3506087E421387
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/237844/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6202273dc79b424d7207ca31/reports/2a86ed92-6661-4eac-bdae-77a8beb1891c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b71320b-276f-4af6-91aa-8684552e5249

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/935941

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/231a3fbd49c3daf40fef287f590ab7aa161ca51b09ecca28f5cdd92d4c9004ab/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2022-02-08 05:53:27 UTC

File Type:

PE (Exe)

Extracted files:

4

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Similar samples:

34fc8a270fda2856448cb455e3dca4d8210f5e83f25f1fa8339d8f428a449466

3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c

4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291

703f4546b4adc3e685275a9840bafac150717c3259f629f6bf9bd8e5d191ad46

7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36

b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1

dc65156bfa6da463f9eb980c3a551ba0cd494b53a55b3a2e9b41c766ca3c011c

e8e0f125d909bafae93f469222f2cfbcb30585e03825d8442c8934a92fdd6c89

f777ad0feb1db2da7abb7c793515f7af49d06a7b4fc5904a9da436ccbd59ddc3

ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628

+ 13'139 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:b80i loader rat

Link:

https://tria.ge/reports/220208-j7caksehd7/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Unpacked files

SH256 hash:

e59d0a50da4309a938def8a89a674adb0957dee364df358f08bc5ed5c7894b8e

MD5 hash:

6f127f705d2b6bf51227e42019b2c11e

SHA1 hash:

fe7d576131bda197ed100d4f3d20651682482b93

Link:

https://www.unpac.me/results/5641eba7-6545-41a9-a4ef-b2651c9b41ea/

SH256 hash:

231a3fbd49c3daf40fef287f590ab7aa161ca51b09ecca28f5cdd92d4c9004ab

MD5 hash:

a497c027535b445ca14022705484af5f

SHA1 hash:

c435d13f3a5fe39b96c37a47b04a001a08d6b5fe

Link:

https://www.unpac.me/results/5641eba7-6545-41a9-a4ef-b2651c9b41ea/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 231a3fbd49c3daf40fef287f590ab7aa161ca51b09ecca28f5cdd92d4c9004ab

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2028772/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/237844/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample