MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 361c9dec84262c2fb2bde97fa077a3461cf150f12e372bda676eb9cd0f58441a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 361c9dec84262c2fb2bde97fa077a3461cf150f12e372bda676eb9cd0f58441a
SHA3-384 hash: 1ae2fd496e3ab9367d81f781e958e647a7e5b700c7e6af1c6edf726ba569baa528f85640c7a2f0678794e8a90b16e5fe
SHA1 hash: a3dd7a2a77b7cc7c224d1636028eeecf4538b4e5
MD5 hash: c1366c7e949f42c3708cf8a6b9f8b59e
humanhash: wyoming-papa-one-lactose
File name:SecuriteInfo.com.Trojan.Win32.Save.a.16176.32764
Download: download sample
Signature Formbook
Create hunting rule
File size:367'104 bytes
First seen:2021-07-07 22:36:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:RxQTGhnzsWKaA25eSiVDrDjrZAkb7OXNMG0QpyFEgciDk3F8G1LwOegBfhWx7G:jNFzsjHlHr8XNMG0EyFEgc7V8G1L/BQY
Threatray 4'287 similar samples on MalwareBazaar
TLSH T1C97412A0A5B44B26C46E03F15023DBF00F79EF045D28E6DF9BA97E4A10B374513E1A6B
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Save.a.16176.32764
Verdict:
Suspicious activity
Analysis date:
2021-07-07 22:41:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/045fb1bf-2e25-43cc-a704-9a58a2635336

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170319/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.16176.32764.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97404711-c251-4a77-94cc-647bf9036ed9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813183
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445594 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 6 other signatures 2->42 7 SecuriteInfo.com.Trojan.Win32.Save.a.16176.exe 1 7 2->7         started        11 office.exe 5 2->11         started        13 office.exe 2 2->13         started        process3 file4 24 C:\Users\user\AppData\Roaming\...\office.exe, PE32 7->24 dropped 26 SecuriteInfo.com.T...32.Save.a.16176.exe, PE32 7->26 dropped 28 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 7->28 dropped 34 2 other malicious files 7->34 dropped 44 Writes to foreign memory regions 7->44 46 Injects a PE file into a foreign processes 7->46 15 SecuriteInfo.com.Trojan.Win32.Save.a.16176.exe 7->15         started        30 C:\Users\user\AppData\Local\Temp\office.exe, PE32 11->30 dropped 32 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 11->32 dropped 18 office.exe 11->18         started        20 office.exe 13->20         started        signatures5 process6 signatures7 48 Tries to detect virtualization through RDTSC time measurements 15->48 50 Multi AV Scanner detection for dropped file 18->50 52 Machine Learning detection for dropped file 18->52 54 Modifies the context of a thread in another process (thread injection) 18->54 22 explorer.exe 18->22 injected 56 Maps a DLL or memory area into another process 20->56 process8
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/361c9dec84262c2fb2bde97fa077a3461cf150f12e372bda676eb9cd0f58441a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 20:58:59 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb
Formbook
28f57adc56668022a2db544f26ea18b9015ca4ab414dd825eafc3e8c4b179c63
Formbook
2cea4d259b54152c7e175ed0739e4c4c70050a49d07cacae4d9003032e7d9990
Formbook
4d345d3e9341f12df8e933686d66efde41d0ba682e67b8a3d23064b35b400429
Formbook
4e5290b59d085d2d8492782191609fb2847e2f4a554b2ca48d1e7d7c86f6fb92
Formbook
84f28d28b63ae57104a5840373d8debeec9be6886be4051e0bd965b1250dda90
Formbook
9eb105eb5a36975161a2d1926b6f8c099b57ee400c05d00df98335f4371bb28a
Formbook
dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609
Formbook
eb275e1b98fd92888969871af8e7fca0673da25cb476ac4f77303b4b2d0a98ce
Formbook
eb2f60b27fe8568bceadd7535f5f7c88de028cf454185a54a4b0b2aa0be63a17
Formbook
+ 4'277 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader persistence rat
Link:
https://tria.ge/reports/210707-xdr6x1z19e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.miauncadavina.com/dkao/
Unpacked files
SH256 hash:
e389dd38a3ff2f31e00598f2f053235cdba42dbe51266f379ff6b6416408a870
MD5 hash:
d14207e440781f57d68ced0711bf5519
SHA1 hash:
27c96467976f31f6e3f29d15b63ebe0e2ad8b533
Link:
https://www.unpac.me/results/31b033d1-7051-4c7d-8a3c-bf86cfe43035/
SH256 hash:
c77e1afb77374088fb874bc7a25f5f7dbd2ff954e3c5db9397c5cc20ff5bc317
MD5 hash:
97ff78934f91f707c7eb6c41e868123d
SHA1 hash:
28cd4f23384cdb8493ca24ee0bb0b0a180519f9b
Link:
https://www.unpac.me/results/31b033d1-7051-4c7d-8a3c-bf86cfe43035/
SH256 hash:
5e0ce33e87ce76b0f4048cab9b47c59103347c55bb0659b831cc90b537869508
MD5 hash:
3773d96b5c46a970b51e137fba394fa5
SHA1 hash:
2a9dc3e7b48663dff9dcd4420a4a234571747951
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/31b033d1-7051-4c7d-8a3c-bf86cfe43035/
SH256 hash:
361c9dec84262c2fb2bde97fa077a3461cf150f12e372bda676eb9cd0f58441a
MD5 hash:
c1366c7e949f42c3708cf8a6b9f8b59e
SHA1 hash:
a3dd7a2a77b7cc7c224d1636028eeecf4538b4e5
Link:
https://www.unpac.me/results/31b033d1-7051-4c7d-8a3c-bf86cfe43035/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/361c9dec84262c2fb2bde97fa077a3461cf150f12e372bda676eb9cd0f58441a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 361c9dec84262c2fb2bde97fa077a3461cf150f12e372bda676eb9cd0f58441a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1434055/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170319/

Comments