MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33689ab240c55ef3eb149bd364c2e1c0e655b35ffcca42363033ca3e492b5f32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	33689ab240c55ef3eb149bd364c2e1c0e655b35ffcca42363033ca3e492b5f32
SHA3-384 hash:	f2566ef623f8c4bf051ed8c42444d6b0b6d9aa0d7288d0bbbfc35466735908ba5d8daa14ad44fece23abef7120307b96
SHA1 hash:	fafb22b2c1d1c95967f9118162c828910526fbfd
MD5 hash:	655b0349f83661d9bb86f93782f3d714
humanhash:	hawaii-december-butter-wisconsin
File name:	SecuriteInfo.com.Variant.Strictor.272794.3701.28316
Download:	download sample
Signature	Formbook Create hunting rule
File size:	753'664 bytes
First seen:	2022-05-20 12:48:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:MAvPyfUqpxVk7RRR72FQaGdb3FdmYkl7UhcJmlpXgge7CDimYH:7vPyflSv7I1GR31kZUy4jwv7CBYH
TLSH	T1FFF4C0F539B5415BE5FE4EB1EF89553027F2386CA4C1A30D69F532084AF23A0198D7AE
TrID	54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	849298a4a4a4e4e4 (3 x Formbook, 1 x AveMariaRAT, 1 x njrat)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Strictor.272794.3701.28316

Verdict:

Malicious activity

Analysis date:

2022-05-20 13:08:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a9350bbe-9805-450e-b75e-5d26ec49e8a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/273044/

Detection(s):

SecuriteInfo.com.Variant.Strictor.272794.3701.28316.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/62878e5a3ec49f83a6b9900a/reports/f0b0b6c6-0967-4cb8-a99b-6385ee25af69/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75db9ed5-837f-4677-baec-c1437b033606

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998570

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/33689ab240c55ef3eb149bd364c2e1c0e655b35ffcca42363033ca3e492b5f32/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2022-05-20 10:24:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gnujvmsayvpph2yutpjwjqxbydtflm277tfeenrqgpfd4sjll4za._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:mrw6 loader rat

Link:

https://tria.ge/reports/220520-p2b1hsfbfr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

b8178155c3917908387f5b2b9a5312f8222bc02824c433425d289c28195263bb

MD5 hash:

b783cfeb62a934e06ca18e8c55aa1c71

SHA1 hash:

c975e408a3c3906898cea818ffd93cd499197504

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f0b3ce6a-b7e7-4d9d-b76d-5032120ed4f8/

Parent samples :

de4f5d7be84c3a10afa75bd2463a7c2958afc54300f88962f8e069d121752796
01395e90d0c8ad1f209e098302edb7f9082529b52208bbd08eb78a6a09760c73
979a8054b45d09d2c01a9e888e836a4452f4435dce06dd03be67e2b2ff30926d
b85f6d4936a285f58b3902ada91915d91652aa45fd2fa774ce73f8f8e48f0ede
33689ab240c55ef3eb149bd364c2e1c0e655b35ffcca42363033ca3e492b5f32

SH256 hash:

e9e2ef7b1e9846dbcc28b5caf2e330e4de9afdd213690d481ebbfc7fce5faaba

MD5 hash:

654395bc891c84e2ebbe47720954c081

SHA1 hash:

bbe21b6e2cdd52fac6c7472b8b074d52ad0b71cd

Link:

https://www.unpac.me/results/f0b3ce6a-b7e7-4d9d-b76d-5032120ed4f8/

SH256 hash:

5f3401e722b6528942d526ca24db180c971a43d3d475e49bf9478652f018f4ce

MD5 hash:

34680a4adb95d9797f7f857fc3c0cc84

SHA1 hash:

5a79d0f69a48b54c39ea78adc6169f7e74c9a43b

Link:

https://www.unpac.me/results/f0b3ce6a-b7e7-4d9d-b76d-5032120ed4f8/

SH256 hash:

7460000a6d098a86963b87e7e475ed9bdf9b665152bf5a5df79a6ff4f82cd0de

MD5 hash:

830f671a1c5b3e4efc053a915b6362d9

SHA1 hash:

2a3d3f4e3b4ecc0b698fc23d9090b8f6a73f4fd4

Link:

https://www.unpac.me/results/f0b3ce6a-b7e7-4d9d-b76d-5032120ed4f8/

SH256 hash:

33689ab240c55ef3eb149bd364c2e1c0e655b35ffcca42363033ca3e492b5f32

MD5 hash:

655b0349f83661d9bb86f93782f3d714

SHA1 hash:

fafb22b2c1d1c95967f9118162c828910526fbfd

Link:

https://www.unpac.me/results/f0b3ce6a-b7e7-4d9d-b76d-5032120ed4f8/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/33689ab240c5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/33689ab240c55ef3eb149bd364c2e1c0e655b35ffcca42363033ca3e492b5f32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/273044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample