MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA File information Comments

SHA256 hash:	264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c
SHA3-384 hash:	3488bd119ccaf810b64cad78cc841d55ba84b0eed222ad8b0ee712103107fb8026816057ee42dac2c9d3c01347727d41
SHA1 hash:	003d0953cd88b93206b92563779f76df890d31be
MD5 hash:	546ee858992bc35eaf00101cbb261471
humanhash:	october-west-magazine-king
File name:	VIREMENT.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	250'166 bytes
First seen:	2022-04-10 15:17:31 UTC
Last seen:	2022-04-10 15:33:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	3072:l1NjcVVnLpPunb2t8g32uLHJ5x5PRT1h+Pt4+tWWDGz2BrazjX1dleKf:HNeZm2tgKppzh+2shyndl/
TLSH	T12F341206B5D4C0A3D0A68B74A73D6B9707EF573920FAC61F175067E93D94A82EC0EB12
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

VIREMENT.exe

Verdict:

Malicious activity

Analysis date:

2022-04-10 15:18:08 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/b180a952-cd2f-4d7c-af1e-b7cfff9d9432

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/262421/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.2110.26436.20705.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13343/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6252f52b04b81dabe2752a32/reports/09c4edc6-060f-46d6-b97f-4b46f34942c1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dc447d04-6c3d-43a2-bbb9-14ba511d386f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/974071

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2022-04-10 11:08:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ezdqsu4mjuygx67vegtt3b5vou7trfjlbh2zplkalsjuconbbawa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:cbgo loader rat suricata

Link:

https://tria.ge/reports/220410-spk97safdq/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

1567ab36505b9c27f54c4cedfc4ff1e120118a0396f8edbebf1ea106be2b2344

MD5 hash:

17b73b2f3fd26ce31ddba6ac2c6e3976

SHA1 hash:

692b368f33515353371c8299dca256b0cabc35fa

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/07e8eb21-53f3-4b1a-b810-7b46c0fad1d8/

Parent samples :

a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4
a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4
f2b30831e93ef719ecc6b3d7fa88509a1b77d35068d4d6ab2728d9938c8a7859
7889cc6835fa2dad91efec45745239704b8d8ca2932ade574e92b9c28bf348c1
264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c
27331403cd4e737d09c723eaa8ad57607f4a243a1fcde752443af581b9141092
c0d6833e7ba34a1a05310005fa4e09ad5e1e2b60edf8fe62fc42b7610913496c
50a9cc4decaf32975996710740956b5a9c4985c50ded5a2bb8611945263af65a

SH256 hash:

7a61ed01cf2481b8fbc552a558e3c77bfd8198d37115d6a2010a2d7c8316d9bd

MD5 hash:

2f43e7c10cc8fcf192fbac3483eae056

SHA1 hash:

86add4f59fb90d83e17e1ed66c41c2c8fbfafb5e

Link:

https://www.unpac.me/results/07e8eb21-53f3-4b1a-b810-7b46c0fad1d8/

SH256 hash:

264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c

MD5 hash:

546ee858992bc35eaf00101cbb261471

SHA1 hash:

003d0953cd88b93206b92563779f76df890d31be

Link:

https://www.unpac.me/results/07e8eb21-53f3-4b1a-b810-7b46c0fad1d8/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/264709538c4d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c

(this sample)

Dropped by

Formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/262421/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample