MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d
SHA3-384 hash: ae36bd794b2a4e1483d9f81406af14157ad9c92c3178437f8a1f707a611b27d76cd8e6f06a188b8d2df81f93263d1fb8
SHA1 hash: 358dfa7f2bcdd56a342179937a6dd11d94318227
MD5 hash: 2bd0212a01ee6f425e6eb61ae258def9
humanhash: coffee-south-yankee-oklahoma
File name:2bd0212a01ee6f425e6eb61ae258def9
Download: download sample
Signature FormBook
Create hunting rule
File size:959'488 bytes
First seen:2021-10-26 09:52:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cd903ee6199fd8a23728e08912cd0b83 (4 x RemcosRAT, 1 x DBatLoader, 1 x FormBook)
ssdeep 12288:4XP/GqooPN90ke+TV6nRsT3qoHsXmlN3TQQKKyB4pV:4nNNaL+Td6WCgEQsB4p
Threatray 9'071 similar samples on MalwareBazaar
TLSH T193157C22F567193BD2961939C463A772A8F5B7E0273711967FCC3B45CC262807E35E0A
File icon (PE):PE icon
dhash icon c2f9b4dedadac6f9 (4 x RemcosRAT, 1 x DBatLoader, 1 x FormBook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200137/
Detection(s):
Win.Malware.Daou-6598005-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
keylogger remcos
Link:
https://www.filescan.io/uploads/6177d0019a5a1e91c5d45a80/reports/8686a2f5-957b-4e9d-8277-fab075fc527a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2248643b-e941-410c-947a-3db884354658
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/876877
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 509310 Sample: vEJoIOKpFz Startdate: 26/10/2021 Architecture: WINDOWS Score: 100 42 cdn.discordapp.com 2->42 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected DBatLoader 2->50 52 2 other signatures 2->52 9 vEJoIOKpFz.exe 1 22 2->9         started        signatures3 process4 dnsIp5 44 cdn.discordapp.com 162.159.133.233, 443, 49692, 49693 CLOUDFLARENETUS United States 9->44 40 C:\Users\Public\Libraries\Wbjhzk\Wbjhzk.exe, PE32 9->40 dropped 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 Creates a thread in another existing process (thread injection) 9->58 60 Injects a PE file into a foreign processes 9->60 14 logagent.exe 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        file6 signatures7 process8 signatures9 62 Maps a DLL or memory area into another process 14->62 64 Tries to detect virtualization through RDTSC time measurements 14->64 21 explorer.exe 2 14->21 injected 23 reg.exe 1 17->23         started        25 conhost.exe 17->25         started        27 cmd.exe 1 19->27         started        29 conhost.exe 19->29         started        process10 process11 31 Wbjhzk.exe 21->31         started        34 Wbjhzk.exe 21->34         started        36 conhost.exe 23->36         started        38 conhost.exe 27->38         started        signatures12 66 Multi AV Scanner detection for dropped file 31->66 68 Contains functionality to detect sleep reduction / modifications 31->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 18:06:48 UTC
AV detection:
15 of 41 (36.59%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1
FormBook
5c175aad872d219fa23de0c83ea085fbdca8d76601167089b4e55ee66d520276
FormBook
700c8d2a1ebc0994ccd09f93acadb4806ed3554cdef24c8e9ef0b3801646bbde
FormBook
8fb0895d475560584335f48db057beb1840bbf685f180f46c53eb8aa8d8ec676
FormBook
99a52f15cbd0ceb13b15070bbbab2eee59974d15e8d4aaed562b015d888294c5
FormBook
9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490
FormBook
b3bc74c1f3673da08a95775af5f39dd116a249d8a7e597fcd8bb56e07ae3bcd2
FormBook
b8dc1db94b5752524bd51980516ac00c095ef291ca89d8096db6cb4b4dab91b6
FormBook
fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae
FormBook
ff577215d4aaa29ae63860167282ceeb0a703daadfdaef2155102500c269caa2
FormBook
+ 9'061 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n8rn loader persistence rat spyware stealer
Link:
https://tria.ge/reports/211026-lwmnaahba9/
Behaviour
Modifies Internet Explorer settings
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.mgav26.xyz/n8rn/
Unpacked files
SH256 hash:
e232e1cd61ca125fbb698cb32222a097216c83f16fe96e8ea7a8b03b00fe3e40
MD5 hash:
f6d3a43210b0ae176ecbbf2fb450d93c
SHA1 hash:
da2a958b6d503853b27456e0a97694f30a73b68d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/3e3f634e-5133-437a-91d3-fbd168fa4975/
Parent samples :
7777398dbc3f599ad36ce53b25d7991898b10168e825285a4dcd21cdd042f93b
1c07a02b2048d98c65295d00be10605198d719e0e0f89e8331ce31ac8f107cd0
bcbd57aad6980bd5734bd1d9cd0b4c88d46202a5b6c92e2421d3ce97678e4561
28771bdeb8fc15fe6c571d0a9ab08c6d2f46b2bc594a4e0395256988d0f8b38e
94c92dd25fe499f5afd0590fcc18cb9ed9a0078fdccbf6021ebaedb21298864f
3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d
567a5fef6b29e55518559e2020951d873a53a73f14feb8e58d9fe746e9f2161b
b3bb5068e9b2b78e445c0c560322c6bf244c7f008fd964394a0ee46ff8e17fda
52b65e7c2b466f1cc0cad7561145209448614999197a881f0f06dc936ecaa992
0ede7febc557ad60a79097e1f1edf2356d2697aaca2142cc64d70240323acd21
e70ca541f94d8cca778993ca8ac74fdfb9dea65e7d450bc6bac9a5b350f1e9f4
b5b4d9ff557a75779e7d90ce17ab8ccb549e10c41be3a67211dae10fe6daec4b
b1685b4946df16daf7ee4ecda64cc48bb48e5d0259eb0bddaca95df314de857d
ddf8299e0a1e35d69a3a0157d5238d754c60e6d1acc944da7345868a9fac2fa6
c397d21c0d43e8142340885612260771f78efd2e97c512293d08fa377f860a5b
93b7a518e97ad29f0c71d0af14a8e1f0db10564300bdeee1d71a2490d34615cc
b8f1babcc7e2cb18330c303f5b3c30811857a015a39932e7e3339893fd813360
d9ca56d191efaa8ac5beee52f508082d6e8efb29045bb61c23851537982fa6bf
a67796ab32ba225ab871923548c5b98147a848edeffb72089724d6131d20dc0c
8a4f39f938cbe854d8c74e2e3f4b067540a127844d2dc66892f65caa4292985f
c3c712f6cafb2e2768423e6e5dd623177962b820e140d1942099090ba67b8100
9e68a0780d3c86c44563ecb3ff063bd0daa87fa141de7e1022fa285f812dacae
27ff7f17af5f02ca3fd208d84c6c7c401f20cd615b5bc15f0825c6f406606f6a
b142625ba28f57154451adec427e264f09d3ab6ab976d27fc8a0638053ff5417
3eb92d82dbb561740df8bcb6bd9098b9ab3a2c11bff100ee82f30b2ac80a4c78
2cbd7b218fee7aaff31980c7f2bb3e42e08471518483071be365d4a36df2e59d
52c4899a67f258c48e17e26574fe854b99c03447d67fc9a6dfab07ce50a92afe
259cffd1c854b49d3b957c410271779f19cf73817fd31ddfcdc04d7cb7b974f7
31ccfd52379f73629cf34d1e2864648befed8f571785811c1936919f36b807c0
082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983
025a2d38afc9db265d6064588e38f6529d289f1549b5b129f2dbc52e72151920
7dba35b377cad91017112d639eb803269ee4b56dec7d0bfbfdab908ff711ff9b
f209e4caf270335b9688781274f169ce1bd46e12c0585295a0c31dcde7e57e8b
988bdc2407982afc0484bd010bee96515d2594d4bd770453c3a74812633075c2
a6ebeec300be5fbf0da778e99ab91f2af1470c5863784212a520cf5d378426e3
0132df77e1dfe29165f39d4fffdf58350fa6e6136ba1fdfd095868d1dc1e6fb0
0ca9bb0c14fad0f33e013afb8894a888cac9cc5cbb5caef4fce1b61f70a0dbae
a0faca6b2272201f92435b1764849ab99bfd22e025605e1e2e71e7328ce306d9
60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68
9b4ca94ec5ec101754d54a2d73aa5f84fdfe97bc1021d166f07ddcaf5482c059
4251ebd4c8908b8822ca47a236a24b1e537602917e8ff9b45f0e430a0702922a
8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b
16ed3359cc5de49c5ceb1770bbde0652438ab15a910ba51814803fff7f68393a
3b87e4ce782e2d6612b48c89a8fe965be84a3cb110db731845101a4243575789
95af4df2aea94c9836fe7a3c8fbb8ef28e2a377c4d9d5c9530825e0cb7a350d6
d72799be34725e6cc9665e17895075ad8c5aa22835440abb4a342a202426379c
e748e76168a7e308c718a4caff95bcee0e5315937c293169015aed60b27ab135
f857f10f0537c3e73d9d180b473bffb3bc43aeec4bf3c71a3b37c66bf199926c
1aa28435e63887b1ee372f54ce2e926888d19f5d3d3ab4d35d39da4b5272d721
b8e835b3ef97bd5ba4f5a1fa76637a11acc301d317ca87dacac8195f19bdce83
068ef52fbc36b06106b0ae63138ecf1cd37b82564dc3909939a0478eb21bc3c9
eda50e4a1eb0d707a898dda7a1919bceff050eb6f528aa907e49f573888a6f2a
e2c2491c8e787f549265256f4d778ac632b7e8e8d8923ddb17772bb926adfe31
230cbdb86d21c1e70ecf946e99178feed5ec21caebfd9695feaa51ab4bbcefe8
1e586ce592f186e4200b8b787ad6b632ba6160f5dcbc8662d27bc0804726cc78
2cabf83aab4b0138620bee4d622ab0b9c5774f5520422fa362257716cf3260bc
fc987865d9443b0a2e9367d07da163a588ef2ec6cef5be08d1ef0bc10f58cd3d
a5f047cd5a1f181b220f8a68e01f7003c3f81d5b6601a4578977b89cf4ea5246
4e74f02c08998baf0273de8e78238f82b271e017a88483413d2527b5e7401151
fc791a24b4250988196f8c8b174d778e0ed1f4ea2a3c8601b25ab4431df56f08
8db032a108bfbc9b5d4d2be6f466add20a81685196253867b99e6456e02adadf
214dc633d8cda71fa724675e530ef5e8b554389ee07268d4bcc54d44c6b1cc81
809848407af2f6ed9a66c96b184a49bcf88496a70d7c200e534739ceb23b97de
SH256 hash:
3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d
MD5 hash:
2bd0212a01ee6f425e6eb61ae258def9
SHA1 hash:
358dfa7f2bcdd56a342179937a6dd11d94318227
Link:
https://www.unpac.me/results/3e3f634e-5133-437a-91d3-fbd168fa4975/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3045902d7104/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FormBook

Executable exe 3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1715159/
Cape
Cape
https://www.capesandbox.com/analysis/200137/

Comments


Avatar
zbet commented on 2021-10-26 09:52:27 UTC

url : hxxp://104.168.32.50/009/vbc.exe