MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80
SHA3-384 hash: 5bc89e2c0f7141571cb7663e0dcb8a198a955484fc6a5ad3b0308c7873746f26f1024f126a1860f388f8563e1b3f3f3a
SHA1 hash: 492c8828a332dbcc0f68d5ee5b17d9ae994b48c4
MD5 hash: c52ecabaed16aba5fac89d694e7508dc
humanhash: sixteen-july-three-nineteen
File name:SecuriteInfo.com.W32.AIDetectNet.01.32118.23153
Download: download sample
Signature Formbook
Create hunting rule
File size:280'248 bytes
First seen:2022-06-20 11:58:45 UTC
Last seen:2022-06-20 12:32:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:hz6yLUr8SGytKZtJAbi3LLHddD7FhqF5TNE:IgoytvLL9BFMFM
Threatray 975 similar samples on MalwareBazaar
TLSH T12E54E01B379C8E00C469AAB1C4CE083913E5EFC77E7297563F5962681E823EB2D495CD
TrID 52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/281565/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.32118.23153.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook obfuscated overlay packed
Link:
https://www.filescan.io/uploads/62b06147d37f6643508e9126/reports/6d18cee6-d7d3-4225-853c-2a57c44abe36/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb7b308e-7757-4d71-bfbd-1082191d3759
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1016260
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 648756 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 20/06/2022 Architecture: WINDOWS Score: 100 23 www.petrolverse.xyz 2->23 31 Snort IDS alert for network traffic 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 7 other signatures 2->37 8 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe 1 2->8         started        signatures3 process4 file5 21 SecuriteInfo.com.W...et.01.32118.exe.log, ASCII 8->21 dropped 39 Writes to foreign memory regions 8->39 41 Allocates memory in foreign processes 8->41 43 Injects a PE file into a foreign processes 8->43 45 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->45 12 cvtres.exe 8->12         started        signatures6 process7 signatures8 47 Modifies the context of a thread in another process (thread injection) 12->47 49 Maps a DLL or memory area into another process 12->49 51 Sample uses process hollowing technique 12->51 53 2 other signatures 12->53 15 help.exe 12->15         started        18 explorer.exe 12->18 injected process9 dnsIp10 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Maps a DLL or memory area into another process 15->57 59 Tries to detect virtualization through RDTSC time measurements 15->59 25 doroos.online 162.241.123.55, 49820, 80 UNIFIEDLAYER-AS-1US United States 18->25 27 www.ownitoffice.com 35.209.201.133, 49822, 80 GOOGLE-2US United States 18->27 29 10 other IPs or domains 18->29 61 System process connects to network (likely due to code injection or exploit) 18->61 63 Performs DNS queries to domains with low reputation 18->63 signatures11
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-06-20 10:21:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5wgq5wckds6x7lwduczg722jd36jsngqujjhj32xg7wqpelx6aa._file
Verdict:
malicious
Similar samples:
48e554159e6003c59fc3cec6633e274dcd650bbd7067413b6ec8de04aed1b958
Formbook
52c7f4e1b185fa991cce822cd4a4bad5b7f44cdd26663ebf22772ea38efbeec5
Formbook
751545481c1a47d3cfaf771d01b78d712a9baf980c98c9a6d32f89f50b918f7f
Formbook
7c784b2b4f0a0601c27580aedc94ceda67153748ef452c722d21726654a1677c
Formbook
a0b5afcab56631d737decbb0378a3aa681f0d053fba8b829a039b452c0be79ed
Formbook
d9edf42affd4dae1e5c0260eb6095e8ea3f03812e2479820dc6a41183adbe827
Formbook
ecc62758ef557c2ed6796ad203c9df3a19f2b10edbfa1c3291f7a64f04286233
Formbook
f73169c0a27b9a12670f84c45f65286ff6922958ceaa08df5de8709a9e8372f8
Formbook
+ 965 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:vweq loader rat spyware stealer suricata
Link:
https://tria.ge/reports/220620-n5qseachel/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Xloader Payload
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
2d5e77062402bc7bfece14981a2500339daf247f8b63fc89549b3b2addedeb37
MD5 hash:
c439237c2ebbeb5784e00a40c1e13fc2
SHA1 hash:
56383b9e14ed19e479df80255d0201d275ef4e68
Link:
https://www.unpac.me/results/813b44bb-d808-4a93-84d6-d7eedf6ad73a/
SH256 hash:
f93e9981a81b0f7db18b7dc39f25f29c02f639d5a6223d4a0593950a6c657cdd
MD5 hash:
3324ff03f3e3fa0f045e0ecde513eb5e
SHA1 hash:
c23458d1aab751b011a7ff20e9a8df4c8f06b1d2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/813b44bb-d808-4a93-84d6-d7eedf6ad73a/
Parent samples :
276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80
e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d
b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
cae9a0644fd5cc322d7507cb395211a8af890df841bcd028f56e77399ada378b
be5b336a3ad03b3b70a286e38ba35c631f7d98f3c54e996c2e787f225b449879
38fbf4ef63938c61701107b226bef84d19a357b215830ce660101cfe6f59e75c
SH256 hash:
276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80
MD5 hash:
c52ecabaed16aba5fac89d694e7508dc
SHA1 hash:
492c8828a332dbcc0f68d5ee5b17d9ae994b48c4
Link:
https://www.unpac.me/results/813b44bb-d808-4a93-84d6-d7eedf6ad73a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/276c6876c250/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2245675/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/281565/

Comments