MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2
SHA3-384 hash: d507ed0a837d5c87bc3c789f6c58e10f344203157989890008b1d0a90a693e0d2ab2a2ba9a36e1697eec0adcd2539a97
SHA1 hash: 290172320bcfc24ba5fe5f1aa3bea859fa97ebae
MD5 hash: ab57eff2aa8224d890abf05c38a339f2
humanhash: mobile-arizona-arkansas-football
File name:9bc7b2f9a86cdad10a9c85942a2f075e76bf141db087354a1309fabac24f7a36
Download: download sample
Signature Formbook
Create hunting rule
File size:859'648 bytes
First seen:2022-04-19 06:04:52 UTC
Last seen:2022-04-21 12:23:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e0804e63f849253255cc5a90c0147c49 (6 x DBatLoader, 1 x Formbook, 1 x ModiLoader)
ssdeep 12288:bZ8wag4BvCXr8j4CoOjPDQdT4ragoUG15U87uxHkHijCNsFKzaRHr:b2FN2ojFoOjcdTaTGTR8HExz
Threatray 11'323 similar samples on MalwareBazaar
TLSH T1CB059E22B3918436D0331E758D5793B96C29FF202E24A9466AF9DE4C5F392E13D3D293
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon c8c982848998ac94 (10 x Formbook, 6 x DBatLoader, 4 x RemcosRAT)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264492/
Detection(s):
SecuriteInfo.com.Downloader-FCIVAB57EFF2AA82.3298.15159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware keylogger
Link:
https://www.filescan.io/uploads/625e5110ffe27d5119083d23/reports/fe2750f9-3af7-4b95-b99a-c2a676fac9b9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32d3839c-39f8-40db-88a4-d88aef9d2e8c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978639
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Application Executed Non-Executable Extension
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 611126 Sample: 9bc7b2f9a86cdad10a9c85942a2... Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 37 www.maxmedicalcentre.com 2->37 39 www.beachdayscottage.com 2->39 41 beachdayscottage.com 2->41 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 8 other signatures 2->73 8 Jmfyzvn.exe 15 2->8         started        12 Jmfyzvn.exe 15 2->12         started        14 9bc7b2f9a86cdad10a9c85942a2f075e76bf141db087354a1309fabac24f7a36.exe 1 17 2->14         started        signatures3 process4 dnsIp5 47 i-db3p-cor003.api.p001.1drv.com 40.90.136.179, 443, 49748, 49750 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->47 55 5 other IPs or domains 8->55 81 Multi AV Scanner detection for dropped file 8->81 83 Modifies the context of a thread in another process (thread injection) 8->83 85 Maps a DLL or memory area into another process 8->85 87 Queues an APC in another process (thread injection) 8->87 17 explorer.exe 8->17 injected 49 i-db3p-cor004.api.p001.1drv.com 13.104.208.162, 443, 49756, 49758 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->49 57 5 other IPs or domains 12->57 89 Sample uses process hollowing technique 12->89 21 rundll32.exe 12->21         started        51 i-db3p-cor007.api.p001.1drv.com 13.104.208.164, 443, 49732, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->51 53 qirnsg.db.files.1drv.com 14->53 59 4 other IPs or domains 14->59 27 C:\Users\Public\Libraries\Jmfyzvn.exe, PE32 14->27 dropped 29 C:\Users\...\Jmfyzvn.exe:Zone.Identifier, ASCII 14->29 dropped 91 Tries to detect virtualization through RDTSC time measurements 14->91 file6 signatures7 process8 dnsIp9 31 www.revgeek.com 156.234.138.23, 49852, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 17->31 33 www.mapfires.net 64.98.145.30, 49849, 80 TUCOWS-3CA Canada 17->33 35 20 other IPs or domains 17->35 61 System process connects to network (likely due to code injection or exploit) 17->61 63 Performs DNS queries to domains with low reputation 17->63 23 raserver.exe 12 17->23         started        65 Tries to detect virtualization through RDTSC time measurements 21->65 signatures10 process11 dnsIp12 43 www.170805.com 23->43 45 gfchains.com 23->45 75 Modifies the context of a thread in another process (thread injection) 23->75 77 Maps a DLL or memory area into another process 23->77 79 Tries to detect virtualization through RDTSC time measurements 23->79 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 05:40:58 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=exvcx5nobbgxkhtfiiutip4dsdhrdqgrsmh5vaajwojvvfrrpxra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
81f4e3b64cd382fe241f3ce5f0f31eafca0fc82c77c91b751d03f8eb41511b3e
Formbook
86df15ac78abc1d224a4249db72d29dcb2979fd0669a15c0d291e47648dc0c1c
Formbook
97e3431b489d64fb200c178334d0229cea2495e7f01856ac8571e4f085636b73
Formbook
9e4e02725cde43b4da85cdf054b11ad0e4a622bb54f4a967b1634ebcaea9666a
Formbook
a3a2d9a377922a592c46004c66ae748433c1874396168c575a26f744f05b6bf7
Formbook
b3abc09be3775f75fe01c084e3024371dcf7bba8b91e97d5ecf35862f9812ee2
Formbook
bcd4ff2d437acfafe367d9192ea761aa86a93f212a3a86e422650ba5820108f2
Formbook
da30dd86e912cbfcf0cb4306265cedf47604891dc868db7c59dd92d47ad32063
Formbook
+ 11'313 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:a5qd loader persistence rat trojan
Link:
https://tria.ge/reports/220419-gs66asbge9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
ModiLoader Second Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
5c7abef80eec8823727033ff393ec0c554e024174078558c2816eac5aa5f05ba
MD5 hash:
75bb3ad3fd6a800d80f6d0df1eacc4cd
SHA1 hash:
97401d629c663e86c91d254047857d2d56245c69
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/c1955386-d728-452a-a8f9-f96992ca3214/
Parent samples :
25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2
af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b
5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373
7834cc8a3f3b2dd0d3ed6a22c134b347054a477e116b4a46751f21a463aee356
SH256 hash:
25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2
MD5 hash:
ab57eff2aa8224d890abf05c38a339f2
SHA1 hash:
290172320bcfc24ba5fe5f1aa3bea859fa97ebae
Link:
https://www.unpac.me/results/c1955386-d728-452a-a8f9-f96992ca3214/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25ea2bf5ae08/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264492/

Comments