MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30eca50cfb9de3391b755191b2e3e3d048222fd7b1af995cc089c49258b44610. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	30eca50cfb9de3391b755191b2e3e3d048222fd7b1af995cc089c49258b44610
SHA3-384 hash:	00133c4c78a761bb246c04385e8c57b42551c1f37bceae5e0f4bbc1da2d54cf8fe55d0878246317a112f4e535c31294e
SHA1 hash:	04db24b4bebad9bdc198d645191fa77ecc5ccd19
MD5 hash:	d90dce269c0554bed223e2c9e80ec945
humanhash:	sixteen-social-floor-orange
File name:	Initial Document ID. 20002234LF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	51'200 bytes
First seen:	2022-02-28 15:10:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	384:T2K7jc0O52PsE3p+8+v6zBuDQXulaiAMwCKFH2S3dd0hUADkaMk:T2yc0nE9DxlmMwCK/3deVDv
Threatray	14'499 similar samples on MalwareBazaar
TLSH	T18633F81A6CADA659C5D47BF859F0918693B1ACE10024C14FECF97F19A933323DCC625E
File icon (PE):
dhash icon	174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter	malwarelabnet
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/245382/

Detection(s):

Sanesecurity.Rogue.0hr.20220228-0806.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Launching cmd.exe command interpreter

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware obfuscated packed shell32.dll update.exe

Link:

https://www.filescan.io/uploads/621ce614dfdfa8501c6bfa97/reports/e89fa435-53e2-4430-8c1a-ee42d9a049ef/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db4d96c2-9175-4141-b20a-0fe25f751aed

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/947494

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30eca50cfb9de3391b755191b2e3e3d048222fd7b1af995cc089c49258b44610/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-28 08:11:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gdwkkdh3txrtsg3vkgi3fy7d2becel6xwgxzsxgarhcjewfuiyia._file

Verdict:

malicious

Label(s):

formbook

Formbook

0b7b92e40a75e7c96676e65733f2babfdf0c37529c130619510b2b0b7879a697

Formbook

0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780

Formbook

3a4c026f2e3c450b18931610d6a795ffe504c41ca1d4bf7d26c5a7a57abcf389

Formbook

b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1

Formbook

b27c2dc3bca2aad4751d22a6f8c7ed19411e96848362e249597e16582cfed7dc

Formbook

d54ba0a6fa5afd571a0799253f94562b50d30842a6d66ba1af62419ed7713131

Formbook

e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c

Formbook

ec6636f70ab0c5c4a752505049efb9e4ebb856671e6c47fe0c869b9efdf254d7

Formbook

+ 14'489 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:6rnk loader rat suricata

Link:

https://tria.ge/reports/220228-skmbpsfhcp/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

30eca50cfb9de3391b755191b2e3e3d048222fd7b1af995cc089c49258b44610

MD5 hash:

d90dce269c0554bed223e2c9e80ec945

SHA1 hash:

04db24b4bebad9bdc198d645191fa77ecc5ccd19

Link:

https://www.unpac.me/results/00cef538-6b05-433e-b28d-8584a6a9a229/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/30eca50cfb9de3391b755191b2e3e3d048222fd7b1af995cc089c49258b44610

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/245382/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample