MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4
SHA3-384 hash: 26e2482c722424aaa688d096de5403ea7e7d28c1b4a3fddede2399229b4a3c308891a335de2cba5a3e7e48d7b658b067
SHA1 hash: 40e463bea1b7f2507db6c1cc4f79625f231102a2
MD5 hash: 85080a8101d32b0cf63d8eb7a558f2d5
humanhash: fillet-juliet-johnny-blue
File name:FFRQVQV4NZDGKS5.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:1'092'608 bytes
First seen:2022-03-24 10:15:08 UTC
Last seen:2022-03-24 11:44:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:jkr42zgrPSK33xarPSu6lQs/txOnaymMP0hjhcbBBPWMsWD:jkfsrPS4Ba+uuQs/enapjqp
Threatray 14'625 similar samples on MalwareBazaar
TLSH T1C935F18C7650B2DFCC2BCD72CA681C60AB20686B570BE207A45711EDAB4D99BCF155F3
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257126/
Detection(s):
SecuriteInfo.com.W32.MSIL_Troj.CAI.genEldorado.9869.26595.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623c44bfdfdfa8501cd7ee21/reports/ec0b70c0-5559-4600-b053-305f2198b0bf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cdad37ef-2bca-4291-857f-5b9081b5da84
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963654
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 10:16:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epuluhmnfhvgmxnkxohu4ifwo7vzx774eavx43m42qgxnaxh5ksa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2b4ae3511a344b0417708b8bb5765da86678d5a8c4d87a367eec42937d242965
Formbook
309823f6a6820db5d24443327e3b566f8d2aa16b3a9052086f521488a46e1532
Formbook
39d7f0b102aca1db8c71a3a7af79ece2aa2100dbaf1c20237d75e36271833ef2
Formbook
5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9
Formbook
768252369536d1e56aad57c5015925ec464642d13d76468db72e60f9ac4e1a54
Formbook
9f085df3f1da75ba799ca984603fe267f891be8e6ac24c52b907cc97e6879467
Formbook
aa768c2c6e6e99313d1de9367ad2b894ce051ae3ce3ed1aeedc806ab8b0a0f80
Formbook
af985554eebc4990f77fc7c337d7af4367c2e28acbb41386669e5fa3bb55fbcd
Formbook
b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c
Formbook
c68894e6a7551cdf34c082a0ba372f9544d07aee0f2d09dfb7fed3e664e91aaf
Formbook
+ 14'615 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n35q loader rat
Link:
https://tria.ge/reports/220324-maabhaffd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f8d983f6324ccc9792d712f96f0ad5cdc98d68ad01816d8141c4a311167f0968
MD5 hash:
5b246b5c2a803f0e025aa3f47262d00f
SHA1 hash:
8c51bb6fb14ef72f3f48830e8bfd5719f5074aad
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/54c5e08f-6fe7-40d2-b55c-131154f6d231/
Parent samples :
23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4
7b25cfa3fd8510d716490999e1fb90d79330f8e852aa2d539060e4768ffcf058
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/54c5e08f-6fe7-40d2-b55c-131154f6d231/
SH256 hash:
6750ff5a88d58e63088bac7b72630134742fb47bb7579542be267dbf8bf58a7f
MD5 hash:
374d78c32b688c1ef1a3e3b03b860520
SHA1 hash:
c9e4359cf0aa38e638d8951e53e98201afb13b6d
Link:
https://www.unpac.me/results/54c5e08f-6fe7-40d2-b55c-131154f6d231/
SH256 hash:
01218ee1e5401b6436126eb4f8922ee329c6b2d976f824cf6fa36cbf0d939523
MD5 hash:
ad0980b8bd1f48da829cc16c309401c9
SHA1 hash:
51b79e96127db3a169dc387440b0e6360cb764ce
Link:
https://www.unpac.me/results/54c5e08f-6fe7-40d2-b55c-131154f6d231/
SH256 hash:
23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4
MD5 hash:
85080a8101d32b0cf63d8eb7a558f2d5
SHA1 hash:
40e463bea1b7f2507db6c1cc4f79625f231102a2
Link:
https://www.unpac.me/results/54c5e08f-6fe7-40d2-b55c-131154f6d231/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/23e8ba1d8d29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 08a5b5726ce814406322ad5489cb520d6591cf77f8163cb361ef7b3b94cb89e8

Formbook

Executable exe 23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 08a5b5726ce814406322ad5489cb520d6591cf77f8163cb361ef7b3b94cb89e8
Cape
Cape
https://www.capesandbox.com/analysis/257126/

Comments