MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
SHA3-384 hash: b433be9ec46c18920f550ac01a079a81a646db216fc1f025d40f8702f4d5883f3b305e5300dc12b35331091fc32affa5
SHA1 hash: fb6dfc41a4311c3d26293c23e497082dea356f51
MD5 hash: bdc5d1e58c4c376d9ae996a363ffa47f
humanhash: mountain-eight-ohio-alabama
File name:vbc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:727'552 bytes
First seen:2021-11-23 10:03:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb3e9d8cf19100c077e1fdd127bcd369 (3 x Formbook, 1 x BitRAT)
ssdeep 12288:g6Hvy5le1KrvnEWkPpgiVymUqmCRb3seJ1B8lDfwUCm0gRS+:g6PWleMvnEW0pgiJUUx3zJ1Bs7cH
Threatray 11'660 similar samples on MalwareBazaar
TLSH T14DF4AF92B3E0AE71C3AA7175AD0F8724693B7C011D34800B1DF92E489F7D352E76A65B
File icon (PE):PE icon
dhash icon 342c6c9c97cc6493 (3 x Formbook, 1 x BitRAT)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2021-11-23 10:13:22 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/89582504-48b1-4052-9857-0048953124fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/619cbc98b71ceed4152ccc29/reports/c08e23da-a541-41a2-9b31-62a444839e84/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ee6c1e7a-11a2-44ab-8004-fea226d04a9d
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894591
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527069 Sample: vbc.exe Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 45 www.nashhomesearch.com 2->45 47 www.belenpison.agency 2->47 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 9 other signatures 2->87 10 vbc.exe 1 18 2->10         started        15 Avapxlht.exe 15 2->15         started        signatures3 process4 dnsIp5 55 onedrive.live.com 10->55 57 gnblzq.am.files.1drv.com 10->57 59 am-files.fe.1drv.com 10->59 41 C:\Users\Public\Libraries\...\Avapxlht.exe, PE32 10->41 dropped 43 C:\Users\...\Avapxlht.exe:Zone.Identifier, ASCII 10->43 dropped 99 Writes to foreign memory regions 10->99 101 Allocates memory in foreign processes 10->101 103 Creates a thread in another existing process (thread injection) 10->103 17 mobsync.exe 10->17         started        61 onedrive.live.com 15->61 63 gnblzq.am.files.1drv.com 15->63 65 am-files.fe.1drv.com 15->65 105 Multi AV Scanner detection for dropped file 15->105 107 Injects a PE file into a foreign processes 15->107 20 mobsync.exe 15->20         started        file6 signatures7 process8 signatures9 73 Modifies the context of a thread in another process (thread injection) 17->73 75 Maps a DLL or memory area into another process 17->75 77 Sample uses process hollowing technique 17->77 79 2 other signatures 17->79 22 explorer.exe 17->22 injected 26 svchost.exe 20->26         started        process10 dnsIp11 49 www.oilelm.com 22->49 51 104.21.66.109, 49830, 80 CLOUDFLARENETUS United States 22->51 53 25 other IPs or domains 22->53 95 System process connects to network (likely due to code injection or exploit) 22->95 28 Avapxlht.exe 15 22->28         started        32 help.exe 22->32         started        34 wscript.exe 22->34         started        36 2 other processes 22->36 97 Tries to detect virtualization through RDTSC time measurements 26->97 signatures12 process13 dnsIp14 67 onedrive.live.com 28->67 69 gnblzq.am.files.1drv.com 28->69 71 am-files.fe.1drv.com 28->71 109 Writes to foreign memory regions 28->109 111 Allocates memory in foreign processes 28->111 113 Creates a thread in another existing process (thread injection) 28->113 115 Injects a PE file into a foreign processes 28->115 38 mobsync.exe 28->38         started        117 Modifies the context of a thread in another process (thread injection) 32->117 119 Maps a DLL or memory area into another process 32->119 121 Tries to detect virtualization through RDTSC time measurements 32->121 signatures15 process16 signatures17 89 Modifies the context of a thread in another process (thread injection) 38->89 91 Maps a DLL or memory area into another process 38->91 93 Sample uses process hollowing technique 38->93
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 10:04:41 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72
Formbook
3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6
Formbook
728b23f75c1140a1763dd7c75083f2ae57afeb6ffa3d7b33a9ba1b4904c4566d
Formbook
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
Formbook
b88385613d90ebbd240b11a3847fc2117c0d832fdf7a3c45f1ed68692ed68038
Formbook
d544f115e860d3282bd996d7b12ac92c10097d68d135667cca0f847ca754f8ef
Formbook
d72799be34725e6cc9665e17895075ad8c5aa22835440abb4a342a202426379c
Formbook
d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d
Formbook
+ 11'650 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ht08 loader persistence rat suricata
Link:
https://tria.ge/reports/211123-l3yzwshgbl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Uses the VBS compiler for execution
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.septemberstockevent200.com/ht08/
Unpacked files
SH256 hash:
c0d655ca0862ee8f069564e3e7fcb17d930e0c877a31e749f4ad1b73a38e855a
MD5 hash:
7f01373693adbbd15ca15fff811a2c1a
SHA1 hash:
bf4ef40f0feaf42aeac4767ff93bfe83e1f0c89d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/aef91341-4bd3-49c9-982e-42122cde7dcf/
Parent samples :
bfbe11d6ffb3c82c59ac2cf85176583ff2ea5449d926584a59181286611f48f3
22e4c6c1d3eb1e8a93d2b36b152ef39cff53bc933ff80153057788fadf6615db
839d28f4d38455750ddf9ddffdd57d0cc6ee009714f407a8698e65e96eb9fa71
9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f
413e8df7f149aa643aaa1ef70e953ab2112827b652f1cf05b6420ed6a119962d
34443c2f4cf165f96c3eaffb93f2a7b3628ebed8ed119b3ef2ad3e5dc450e0a0
fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4
SH256 hash:
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
MD5 hash:
bdc5d1e58c4c376d9ae996a363ffa47f
SHA1 hash:
fb6dfc41a4311c3d26293c23e497082dea356f51
Link:
https://www.unpac.me/results/aef91341-4bd3-49c9-982e-42122cde7dcf/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2863a8690acd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208634/

Comments