MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3128fb689450869d75e077907887d9b27183bf7eb64e5a87989a86c3e227f43c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3128fb689450869d75e077907887d9b27183bf7eb64e5a87989a86c3e227f43c
SHA3-384 hash: 92584d3a127befe51b636090d68205d5827fca83f8ca5acca524c9022af6f4fcd11c216252c9e52cedc22937e3b7cae7
SHA1 hash: 56926ab3dabf4d35770acf9fbd1124c12e0212c6
MD5 hash: 05bd72f89d2689cf016052be9ba34ad8
humanhash: golf-undress-black-florida
File name:05bd72f89d2689cf016052be9ba34ad8
Download: download sample
Signature Formbook
Create hunting rule
File size:248'884 bytes
First seen:2022-04-05 19:01:21 UTC
Last seen:2022-04-05 19:49:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep 3072:l1NjcVVnLpPunbp1uIcHaE1YtMmmv7YoemN+KpW27p29h/59m2qsWGrtKX8Xic9i:HNeZmS6D/mDY2EKYF9lPm2dfKX8DGj
Threatray 14'608 similar samples on MalwareBazaar
TLSH T19F341211BA68C073D1B347361E7B5B4A4AFBDE2839F09A5F67941B7836327D0964A302
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261088/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1017.32324.14107.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching the process to change network settings
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12752/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624c922f40ce5db9f411ca90/reports/99cb535a-ff7d-4fa2-b8d3-205a7e1b1528/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b0c0649-f016-467b-aff6-7ccd5c7fc3d9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/971092
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 603582 Sample: oLSSEKvGiy Startdate: 05/04/2022 Architecture: WINDOWS Score: 100 34 www.unitechs.xyz 2->34 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 5 other signatures 2->56 12 oLSSEKvGiy.exe 18 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\rjoqtmg.exe, PE32 12->32 dropped 15 rjoqtmg.exe 12->15         started        process6 signatures7 68 Tries to detect virtualization through RDTSC time measurements 15->68 18 rjoqtmg.exe 15->18         started        process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Sample uses process hollowing technique 18->46 48 Queues an APC in another process (thread injection) 18->48 21 explorer.exe 18->21 injected process10 dnsIp11 36 aislamientomartinez.com 162.241.244.43, 49777, 80 UNIFIEDLAYER-AS-1US United States 21->36 38 www.ziraatsulamakredisi.xyz 198.71.49.37, 49780, 80 ONEANDONE-ASBrauerstrasse48DE United States 21->38 40 9 other IPs or domains 21->40 58 System process connects to network (likely due to code injection or exploit) 21->58 60 Performs DNS queries to domains with low reputation 21->60 25 wlanext.exe 21->25         started        signatures12 process13 signatures14 62 Modifies the context of a thread in another process (thread injection) 25->62 64 Maps a DLL or memory area into another process 25->64 66 Tries to detect virtualization through RDTSC time measurements 25->66 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3128fb689450869d75e077907887d9b27183bf7eb64e5a87989a86c3e227f43c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-05 19:02:13 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
48b9bb721ab60fa9fc9feecef6c4e513b4bfc2049c72f187bdea927b20aa3898
Formbook
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
Formbook
54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d
Formbook
66ed20e609a1c10376f30415f4f2a03aa274fbdaaa12925dcc81ed74bfb7fdfa
Formbook
6f0508408689f77795e27f5320115355744c6b7d02cf59197dae8646bc73f267
Formbook
95c771c632d3d8501bcb90643f6587624eb5c5773557eeceb34bb08872cbd3cd
Formbook
bc7cf974c3cfb35a9e7f4abff78a9c68ae6a9ecb2eb78725adfd3ef6db6d6e0a
Formbook
d1fc803b3595758c6ea0b1d75423d5287e036a85a211173df5adc89bcdafca13
Formbook
d67265883ffb3f3129132bfe1dad4a828c887266a0a005e814bcda58c525625b
Formbook
dd39f14948021a7f17de30d38f334142b9f7c26c2fffb174f689bccddce94b29
Formbook
+ 14'598 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:wgau loader rat
Link:
https://tria.ge/reports/220405-xprt7sbgc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
7badf65751d4464b725550a63cdef1a6ca9134853785d0475f0c7a1a0773ef2d
MD5 hash:
1a0fdce38eccbdded8c3d9d7dd96756d
SHA1 hash:
17d72a457a999570be8a7a9c544159b386c22432
Link:
https://www.unpac.me/results/0fdfd66b-1dfb-4444-a5c2-ff603b8700b6/
SH256 hash:
58f2194bda78950af2242d8d1f184fd82791d7f0ea167c37098d6586ef5a238b
MD5 hash:
644d340b6c773bb239b82ea05ca0b31d
SHA1 hash:
4ffe4cf0edf838089f717a1d619ff67b4d408736
Link:
https://www.unpac.me/results/0fdfd66b-1dfb-4444-a5c2-ff603b8700b6/
SH256 hash:
c6c71968c8627f51c583f7b01fe790a196547998b13c3ce54ba7d1b3825adf43
MD5 hash:
143635ec31b71dbc5b92e98bb37b510e
SHA1 hash:
32517f1c8c70515033c9220785db918527d55fba
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0fdfd66b-1dfb-4444-a5c2-ff603b8700b6/
SH256 hash:
3128fb689450869d75e077907887d9b27183bf7eb64e5a87989a86c3e227f43c
MD5 hash:
05bd72f89d2689cf016052be9ba34ad8
SHA1 hash:
56926ab3dabf4d35770acf9fbd1124c12e0212c6
Link:
https://www.unpac.me/results/0fdfd66b-1dfb-4444-a5c2-ff603b8700b6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3128fb689450/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3128fb689450869d75e077907887d9b27183bf7eb64e5a87989a86c3e227f43c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3128fb689450869d75e077907887d9b27183bf7eb64e5a87989a86c3e227f43c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2133003/
Cape
Cape
https://www.capesandbox.com/analysis/261088/

Comments


Avatar
zbet commented on 2022-04-05 19:01:23 UTC

url : hxxp://84.38.132.110/55/vbc.exe