MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
SHA3-384 hash: 9918b75d213df71a0a55db7f9f504dfa2f959c46b92cbe085ea24968c55d37481d8ac3907ffb238f07fa014f5ee37688
SHA1 hash: 7a98b02cf27bb92ff397de5b5554ab17426edfe9
MD5 hash: 6adcad993626f90d1efcbb797c6fc63f
humanhash: table-alaska-sodium-blossom
File name:6adcad993626f90d1efcbb797c6fc63f
Download: download sample
Signature Formbook
Create hunting rule
File size:644'608 bytes
First seen:2022-07-04 18:37:54 UTC
Last seen:2022-07-04 20:34:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jJER+b3yw3d7eT9bRxxujgqPupsbf3Db+Zg39qnOPQLzVitS0AcO6:+IAkjN13DSZ09vP6EtFO6
TLSH T1C7D4E11EFEA5CD0BC2545772D1D6442C5372EC0AA223DB2B358DA3B91E033BAD8C5796
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.39647.19054.11875.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c333cdc1b6cfcaa5e9612b/reports/024a02b3-3883-4314-af70-8dfaf4a41712/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73cf80b4-c1d9-402e-acf1-f1004e23aee6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024391
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-07-04 18:38:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxo7ikdjk5u3xb2ftyeert5op23cvbwjdsf3gormvir4l66ehnzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nn40 loader rat
Link:
https://tria.ge/reports/220704-w92dpscfh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
eb34d25f79cf69105cc87e8e8f902fce7bc2dc4c80d5c1dc510cf60b3859dfb3
MD5 hash:
f8fbac0b58d026c8dd80df878e2e7774
SHA1 hash:
69de8ce161c2fdd0d10aee01a20a1e3b2b51237c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/20200343-b3ca-4db9-bf1e-7b9ff4dd46c0/
Parent samples :
9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5
SH256 hash:
dcc116cc104568cc3bcf5b30ad0788a6d95a0fc5792cab08baaceca1ad3a9dd5
MD5 hash:
c276ec7d711436b76231c80ea46b7993
SHA1 hash:
f80fc36362d5d6c3770d480ddd4cf83f3b6251ef
Link:
https://www.unpac.me/results/20200343-b3ca-4db9-bf1e-7b9ff4dd46c0/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/20200343-b3ca-4db9-bf1e-7b9ff4dd46c0/
SH256 hash:
ad03da068ac4edc277d5e9b528106304239daa2a9627dbae66df15ff9f023b6b
MD5 hash:
52d1acac632fe8c76d1f146449f15038
SHA1 hash:
8ab7d9ebd16c09bcc9c3ec7b0dd5abd62bbc66c5
Link:
https://www.unpac.me/results/20200343-b3ca-4db9-bf1e-7b9ff4dd46c0/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/20200343-b3ca-4db9-bf1e-7b9ff4dd46c0/
SH256 hash:
802c81bb1e89a4ee9d491b482b2037c10a8e0747da531c81248de1ca6a79630e
MD5 hash:
f7aa8ed473a056481f15e579caa31cc1
SHA1 hash:
003ed64b7638854902e0d4e4d0adc3c9ffc0d468
Link:
https://www.unpac.me/results/20200343-b3ca-4db9-bf1e-7b9ff4dd46c0/
SH256 hash:
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
MD5 hash:
6adcad993626f90d1efcbb797c6fc63f
SHA1 hash:
7a98b02cf27bb92ff397de5b5554ab17426edfe9
Link:
https://www.unpac.me/results/20200343-b3ca-4db9-bf1e-7b9ff4dd46c0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35ddf4286957/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2253897/

Comments


Avatar
zbet commented on 2022-07-04 18:37:56 UTC

url : hxxp://107.172.76.188/z/ttt.exe