MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25c2cea54ad6c1b93026807e6a34e7278f4dbdb85fdd635cbcc83e7f247e3f19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25c2cea54ad6c1b93026807e6a34e7278f4dbdb85fdd635cbcc83e7f247e3f19
SHA3-384 hash: 0c2cc2d976df28d551990ba214a898f5b1cbd1387383dda163ba36f3260eb2735a176ca82b0d5e5330b8e49178d600c9
SHA1 hash: 0ba781217ce07a026a080426371f1eb11914b4f4
MD5 hash: f8391a575fe6ee058583475279454639
humanhash: item-lamp-lion-floor
File name:f8391a575fe6ee058583475279454639
Download: download sample
Signature Formbook
Create hunting rule
File size:1'060'864 bytes
First seen:2022-02-23 14:24:30 UTC
Last seen:2022-02-23 16:20:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:S5xCsIwC+tOw+suDI47v96xqcn6g4T6l9IWlpH5KGa1qZRqzwuEdLla6gYfPNbcF:Ndzw1uHS6g4TaIg2Ga1qZks
Threatray 14'130 similar samples on MalwareBazaar
TLSH T1E2354B9C365072EFC857C976DAA81C64EA60747B930FD203A06312ED9E0DA9BDF145F2
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243817/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39050417.29183.12240.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit formbook obfuscated packed
Link:
https://www.filescan.io/uploads/621643c5875593a3cc0afa16/reports/4515649c-029c-471d-9b9c-cdc1770a93c9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61bc875b-4b36-4620-b309-8c89bb90b7e5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944832
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 577312 Sample: sq5KxSPvT9 Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 5 other signatures 2->38 10 sq5KxSPvT9.exe 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...\sq5KxSPvT9.exe.log, ASCII 10->30 dropped 46 Tries to detect virtualization through RDTSC time measurements 10->46 48 Injects a PE file into a foreign processes 10->48 14 sq5KxSPvT9.exe 10->14         started        17 sq5KxSPvT9.exe 10->17         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 19 explorer.exe 14->19 injected process8 process9 21 msiexec.exe 19->21         started        signatures10 40 Self deletion via cmd delete 21->40 42 Modifies the context of a thread in another process (thread injection) 21->42 44 Maps a DLL or memory area into another process 21->44 24 cmd.exe 1 21->24         started        26 explorer.exe 1 152 21->26         started        process11 process12 28 conhost.exe 24->28         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/25c2cea54ad6c1b93026807e6a34e7278f4dbdb85fdd635cbcc83e7f247e3f19/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 17:17:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
3554e8a6c968467f681a97f7d0af60e7be69d515ee9b093b8be749811ec99c0b
Formbook
70c6fd4de902c8ccce31380698b123def84b4d209c8b824e1065349a5aee9de2
Formbook
7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f
Formbook
96077c533e59e3b8cf38826e5e37e35f1f2eb44d356eae6575223158b565198e
Formbook
b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
Formbook
c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c
Formbook
cfd1a77378decd68cd7a59307b77b93247bdd91e00de5111ecae6b5658c8665f
Formbook
e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd
Formbook
+ 14'120 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:mc3w loader rat
Link:
https://tria.ge/reports/220223-rraqtabgdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
805e31eb01f9ae39d1c499b9b53b82465e4da262923da636c2e111a4cc8323b6
MD5 hash:
36f16f4feab12d3c2ca6d9315825dd5a
SHA1 hash:
2381cf9008793f573610455aff9683f762ee7924
Link:
https://www.unpac.me/results/4d0af0db-0076-4bcc-8488-a68b8b5f2324/
SH256 hash:
2d50f6e8d541475c2a75443997cb443a4e5829a1c9630d8a789b9102c1b4418f
MD5 hash:
4c80911e9e7eb04ea85d0bed71b0727b
SHA1 hash:
23b047057720f472dcb879c4a83d55f6275a6487
Link:
https://www.unpac.me/results/4d0af0db-0076-4bcc-8488-a68b8b5f2324/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/4d0af0db-0076-4bcc-8488-a68b8b5f2324/
SH256 hash:
74d0dd17ce636a6a0c48dc6b211cd358ecb602efe165ec7b60d23ddda9462b4b
MD5 hash:
88f5639a50afd993c76ea84668a4e285
SHA1 hash:
4f85dafcecdd760abe0b63ee9ec6e1bc93ffdf38
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d0af0db-0076-4bcc-8488-a68b8b5f2324/
Parent samples :
25c2cea54ad6c1b93026807e6a34e7278f4dbdb85fdd635cbcc83e7f247e3f19
60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f
aea459fb282282fc886f02283b2cfe1da12a6208e14859ffeb7f84a45a452bba
9f033092c39f84850b90bbeb99c2fa53bb621a8467cdf399f77e08bfa892548d
2af6b1cfe8812e9e1679f3a6a58a158420e771341dbea64f4853d6966bb589b2
dfd8941401c6e44bf380f982cd4b78d847f87fd3ea364418b00ceec92f97c500
8609b523be1b22061f1c01a8587f04874836d490196cfa09e8c1eed005f298a0
SH256 hash:
25c2cea54ad6c1b93026807e6a34e7278f4dbdb85fdd635cbcc83e7f247e3f19
MD5 hash:
f8391a575fe6ee058583475279454639
SHA1 hash:
0ba781217ce07a026a080426371f1eb11914b4f4
Link:
https://www.unpac.me/results/4d0af0db-0076-4bcc-8488-a68b8b5f2324/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/25c2cea54ad6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/25c2cea54ad6c1b93026807e6a34e7278f4dbdb85fdd635cbcc83e7f247e3f19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 25c2cea54ad6c1b93026807e6a34e7278f4dbdb85fdd635cbcc83e7f247e3f19

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/243817/
  
URLhaus
https://urlhaus.abuse.ch/url/2055579/

Comments


Avatar
zbet commented on 2022-02-23 14:24:32 UTC

url : hxxp://192.210.218.110/88/vbc.exe