MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf
SHA3-384 hash: dc860958f29a342b4b23a0fe41566a07cc758c3eca1942395a704f54b6e64d5090928eef3aa2142a981815de292023b2
SHA1 hash: 4a2c197f0a75e3e381ebb4df75ef3cbb5081a8ff
MD5 hash: 71b4c855323d26af21ea4989312db160
humanhash: alpha-eighteen-ten-artist
File name:Textile Requirements.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:648'192 bytes
First seen:2021-08-17 13:58:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58577023fa3560e544b0a319d4631c85 (1 x Formbook)
ssdeep 12288:PMlneNP5lV0CZ/1bkdneOlcByuN60pUP5PgsqKmHf4Zh8y2Y8AtlJU:PYeLvZ/uNzlcHHqF3mHwv8EBU
Threatray 7'934 similar samples on MalwareBazaar
TLSH T141D4F1213A81C4B1D92641311EF4E73191BDBBB20B6259DBF7EE0F6C5B325C1AB31296
dhash icon e88f080c0c088be8 (5 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180019/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de24cdf2-598e-4464-b3f8-c51ad2af78fc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834507
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 13:59:14 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzez6xcxhkdvfq5vm2yz4uxtui26opsm3nysh42ffiahzfc7pwxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
2eb57ff3dfafc142e693dd878044f38cb02090cbef35246b2525d19abf0fbaf5
Formbook
3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632
Formbook
6520c8e7f0f0ad32a8599cffd8d908860f6e0ade6fb41104b31657f8a27a908b
Formbook
77f75ced9cfdb9bff40e705aaced15795f123e460db0fcb97463e0515aaf8af1
Formbook
7ec78d6c2c919a22185cb0000f2e273d66019b8409a3ca47c819d44cedead22e
Formbook
87ad57ffa31e9b3481663bd81249ec1e563dc2931bb4bb2045b06ea7917f1593
Formbook
b1fbc6ceb27ff1142228b55cfc493da29609dcaf9660ce70af8e574beecfd560
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
f96442a26d160132827a3b109acadaf4aad9dab625939103677cc93783c93ea6
Formbook
+ 7'924 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:urre loader rat
Link:
https://tria.ge/reports/210817-zb7ejpmgbe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.agencyke.com/urre/
Unpacked files
SH256 hash:
36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf
MD5 hash:
71b4c855323d26af21ea4989312db160
SHA1 hash:
4a2c197f0a75e3e381ebb4df75ef3cbb5081a8ff
Link:
https://www.unpac.me/results/c2de5649-40de-40de-b8a9-f7e547883e69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180019/

Comments