MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a4c026f2e3c450b18931610d6a795ffe504c41ca1d4bf7d26c5a7a57abcf389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	3a4c026f2e3c450b18931610d6a795ffe504c41ca1d4bf7d26c5a7a57abcf389
SHA3-384 hash:	a77eb45f7912f63461717228a30abc9d4d1d2c57fa522b929533453e37ebe8353fb063b5a80ec4a690a4cde067861dbe
SHA1 hash:	7c29ad75b4427e8415f5299350eee1dcee688ad8
MD5 hash:	33c844cd1d09529389849ca2db81b998
humanhash:	five-music-missouri-high
File name:	sex.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	408'064 bytes
First seen:	2022-02-28 14:07:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:MJf+qFrXxtDyUk1EfnpS9LWbvG3qFO291hnMfVIJfGSzqAZSq8SdwLq:MXFrDyUHnpZbvG3q59zsMVt
Threatray	13'957 similar samples on MalwareBazaar
TLSH	T16C94E149D7E78259CE64963BC4F333952F10E847E067D22BA4921B4B1C737EAFE80199
File icon (PE):
dhash icon	69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/245364/

Detection(s):

SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware obfuscated packed shell32.dll update.exe

Link:

https://www.filescan.io/uploads/621cd750b94fb38cb424f6a5/reports/8cbfcc98-ea19-41cd-950b-704c877357e2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6ea4d211-e649-4a50-834c-63c7a4e0ff84

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/947439

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/3a4c026f2e3c450b18931610d6a795ffe504c41ca1d4bf7d26c5a7a57abcf389/

Threat name:

ByteCode-MSIL.Trojan.AgentAGen

Status:

Malicious

First seen:

2022-02-28 10:33:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

25061f65fd6ccf3ba5ffee1beeae8dde4a05a8e8bee1873010732828111c83c2

Formbook

9522dbec3af60a6ad1e0839afd4f7b5206bd46c304e5201bb6e5262cc67c5433

Formbook

9767d52eebfbf17f2e549a57d68d7f11c199af327eeb20542b39485f883f61e1

Formbook

b972dfd3f5fd6142b67366d223c0056b75d3d93538a7c05ce35e27ad1c9541ed

Formbook

d54ba0a6fa5afd571a0799253f94562b50d30842a6d66ba1af62419ed7713131

Formbook

e803c5d292e1684844ff0ac82e76ca90caca1e44e7cd3507ce4ee4507b9d9fb2

Formbook

e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c

Formbook

ec6636f70ab0c5c4a752505049efb9e4ebb856671e6c47fe0c869b9efdf254d7

Formbook

+ 13'947 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:8gce loader persistence rat suricata

Link:

https://tria.ge/reports/220228-rf46aafgdr/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

cda06ebf603abeb5ef8d0ca171d4dd42021aea188bb2a961fb2cae6da968f3cb

MD5 hash:

619ac2fde36996ad6dc97b9ccb3472b7

SHA1 hash:

d06fc42e4e5bc6cc2801d36a9a6246db189f6cbd

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/f1ee65f8-1568-4fdc-b477-2fea49562349/

SH256 hash:

8a707d86a401c90c572cf5ce3b620fdbbcfc64230712f8a9b19c9bde0ded0aaa

MD5 hash:

14a0883237cbf8b547ff58b1f5055db6

SHA1 hash:

5f87655ef9b9b1a731e525148e90eca7f8faebfb

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f1ee65f8-1568-4fdc-b477-2fea49562349/

SH256 hash:

9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026

MD5 hash:

9fbb8cec55b2115c00c0ba386c37ce62

SHA1 hash:

e2378a1c22c35e40fd1c3e19066de4e33b50f24a

Link:

https://www.unpac.me/results/f1ee65f8-1568-4fdc-b477-2fea49562349/

SH256 hash:

64de293303e3557e94b3b308d8be8c1bede12dc9c474311304154c71da628488

MD5 hash:

fd31d391a793749bbfb078245c2dd5ac

SHA1 hash:

4d790edab0f6edcfdc58af90fc7424d4394d8af4

Link:

https://www.unpac.me/results/f1ee65f8-1568-4fdc-b477-2fea49562349/

SH256 hash:

1cf2793faa355dbbb2a50bf6fab2fb112d328becd786c21a277ebe5bff51e5eb

MD5 hash:

374e1f2a58f06099c6d8949357282a8d

SHA1 hash:

38c489b69dea4173ec18f0ab103ea503efd139a5

Link:

https://www.unpac.me/results/f1ee65f8-1568-4fdc-b477-2fea49562349/

SH256 hash:

3a4c026f2e3c450b18931610d6a795ffe504c41ca1d4bf7d26c5a7a57abcf389

MD5 hash:

33c844cd1d09529389849ca2db81b998

SHA1 hash:

7c29ad75b4427e8415f5299350eee1dcee688ad8

Link:

https://www.unpac.me/results/f1ee65f8-1568-4fdc-b477-2fea49562349/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3a4c026f2e3c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/3a4c026f2e3c450b18931610d6a795ffe504c41ca1d4bf7d26c5a7a57abcf389

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/245364/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample