MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28bae65cec413f6c0dcb0df2b34f0a9cb4a53ea246de0fff2baee4a98d8551d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	28bae65cec413f6c0dcb0df2b34f0a9cb4a53ea246de0fff2baee4a98d8551d2
SHA3-384 hash:	e522c0057859df237acfed105c0ecc498bc510c4f90ce75293c34f9ce197c7aba40f77489b870f61f3c7c89825c139b1
SHA1 hash:	52bbc2452042918efd97da6826c97e28c6cf6d5b
MD5 hash:	032f14ee49692bfb4d59c3549c8ecd04
humanhash:	summer-georgia-uncle-fifteen
File name:	SecuriteInfo.com.Variant.Strictor.265968.6816.21223
Download:	download sample
Signature	Formbook Create hunting rule
File size:	963'072 bytes
First seen:	2022-04-14 10:33:54 UTC
Last seen:	2022-04-20 10:23:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:+LzZjNGNUVrBCKlY1jlLxlnjaOmv99xIQb1ofMNKW3MMuPBT8K+XfJu+Qe7Ny4EC:0FLCiIJxljariQ9rcpJTYJuHEJWxW
Threatray	14'947 similar samples on MalwareBazaar
TLSH	T1FD25CF53F299699AC02543F28428D8341766BF5A6439CA097DF6BCDB35F23C22027F5B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b4f0d4c6c4dcdce4 (6 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Strictor.265968.6816.21223

Verdict:

Malicious activity

Analysis date:

2022-04-14 10:39:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5212b8c3-acce-4a68-89fd-21b5c97b983e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/263652/

Detection(s):

SecuriteInfo.com.Variant.Strictor.265968.6816.21223.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/6257f8abffe27d5119cd1813/reports/4aa5217b-433e-4f4d-927c-3c21272425a0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/193924fa-196d-4367-ac56-6711cd162722

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/976732

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/28bae65cec413f6c0dcb0df2b34f0a9cb4a53ea246de0fff2baee4a98d8551d2/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-14 10:34:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

33d9ff922b2b34291e7e84fee8cb11062f4e1eb56cff714fca88f8fa5b507c09

Formbook

3ea19f45dd5b9c5ed0e6f371d7e92afda076c69e6a43eafc3c83337819eee56a

Formbook

574fa65d6f75e60274434f27f9f28f439c093ba8ba7eb8303a441a5e851d70c8

Formbook

7c88273247fcb72cc63b4153e079d0b034f9065ca14c4918e1519773ca27144b

Formbook

95c6926c4af01e7a782b16967a66b3c349f24a6ab2393b1a20c47e28a1ad7249

Formbook

99bb3d1c9a2a4dad6465a81df1008b91f5836e51ce0463da76b31f9758dd9b62

Formbook

9c6a6119bc7008246685cb9960fe21969a8bfbbea6659e6e0afa329358c60a50

Formbook

bc5116cdc710b153d2c32a9ecb5bccd7f3ed3c4cee398b9eba9f482dc5c77cd1

Formbook

c08029bf515af0b640fb4fcdd2d0805cd88f953cbff0315f325a4869d662678f

Formbook

+ 14'937 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:n4th loader rat

Link:

https://tria.ge/reports/220414-ml4pgsbacp/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Xloader Payload

Xloader

Unpacked files

SH256 hash:

28bae65cec413f6c0dcb0df2b34f0a9cb4a53ea246de0fff2baee4a98d8551d2

MD5 hash:

032f14ee49692bfb4d59c3549c8ecd04

SHA1 hash:

52bbc2452042918efd97da6826c97e28c6cf6d5b

Link:

https://www.unpac.me/results/1224c0b3-51f6-4686-932b-10e7edb35d05/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/28bae65cec41/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/28bae65cec413f6c0dcb0df2b34f0a9cb4a53ea246de0fff2baee4a98d8551d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/263652/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample