MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DoubleBack


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a
SHA3-384 hash: 639b3f07c9bec304c1890c2aa2464030aef4168623391e1573a56ece52f091637d95cf4a7d5386848cad87dec6b96283
SHA1 hash: 62fbbe10edc2307122781ed4663f22a66240e02f
MD5 hash: 6d9ef4a9c32c43a60ca63e4c62a172ad
humanhash: may-fillet-mountain-white
File name:6d9ef4a9c32c43a60ca63e4c62a172ad
Download: download sample
Signature DoubleBack
Create hunting rule
File size:744'448 bytes
First seen:2021-08-31 08:50:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:22UxqDFKrirQuHKVPg/XUHm+PWD5jPMER/kfggcD7pQvKH7+cYnlST:zUmFguqpg/Zk4DguxHDT
Threatray 8'636 similar samples on MalwareBazaar
TLSH T1A6F42C7F19BDA2278175C6F58BE78827F0108B6F3110696476D347264322A7AB4F336E
Reporter zbetcheckin
Tags:32 doubleback exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6d9ef4a9c32c43a60ca63e4c62a172ad
Verdict:
Suspicious activity
Analysis date:
2021-08-31 09:11:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f07d4719-f0f1-49d4-9314-55b036d23a2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184085/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ea3633b-f90c-4b48-89d9-79bceac9a6db
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842407
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474835 Sample: GSwiAEpeZP Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 34 www.valueplants.com 2->34 36 www.pempekgputra.com 2->36 38 2 other IPs or domains 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 11 GSwiAEpeZP.exe 3 2->11         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 11->58 60 Injects a PE file into a foreign processes 11->60 14 GSwiAEpeZP.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.southerngiggle.com 17->28 30 www.xs-of.com 192.151.255.36, 49725, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK United States 17->30 32 9 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 cscript.exe 17->21         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 21->50 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a/
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1b4d3e69b4e2e533522d48f27a0137e34b92b01e36d348c12f0df4371ed7d573
DoubleBack
2f36f2e2951a2540ab138afc8ac70f8bb37b83f01199434e247aa6716e1eb47a
DoubleBack
3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632
DoubleBack
4558ca0720eed3f8e2554006b53c896b3f6e57a1ab25e62f5914478f2b89e111
DoubleBack
70e7c5966ac86d48e0519f9b2b34703d2915b603836f4de0be2a2badddd258e7
DoubleBack
73e5b50b261f0d3f8e31c4cd387f86be97b206b9a5cda3dfe0122618bce85151
DoubleBack
8d56e8c41d8094151017ec3cecc40b5aa78edb0d955d39f3c68c3d211fbcb65a
DoubleBack
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
DoubleBack
ea0398e9c644309652d60f4261c03ba7aa64bf8fddd4960c7e65fcb732af4530
DoubleBack
fad8f6a07c20b0594611901f079ab4ad87c3c0a3ff5e776eee1f86b4b56abd4c
DoubleBack
+ 8'626 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:imi7 loader rat
Link:
https://tria.ge/reports/210831-1gyjhrg3rn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.southerngiggle.com/imi7/
Unpacked files
SH256 hash:
ea88e40b750a9f44289afb18b9096c14c1a0d81ae92bd236fe3fd15bf9f8dd27
MD5 hash:
8110d942a1afd5a03fb68ef51e9bce54
SHA1 hash:
d22bf05fd3f760e6f65d5ab239adf71c25f0be09
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7c0b2922-f378-447e-b745-4e9fc7c0c842/
Parent samples :
3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a
12de2f015642b7430fdf5e76d186dc2c38161f4e2238e84d8dd9e4125d3bceec
4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0
b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf
bf9f97f369f730dbe091c7a5304ae2503f61eb0f226bfc763e0681cf07035618
ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299
01459f26c9c160284fbb5d73fe3e2c05634295c07c78b9667107950526af179c
4bd5c83d0ec09eb7019537466d0c3c1469986dce8c358041f65be1a60a6b6fe4
SH256 hash:
9248c72103d9eb39d87d2ce23e1a5792e6c0118296401bce98538e670fe03b29
MD5 hash:
2b86c47ae7025c90ccb8007a46fea304
SHA1 hash:
bb240faf83699c66706b10fcb4aa16e099019cdf
Link:
https://www.unpac.me/results/7c0b2922-f378-447e-b745-4e9fc7c0c842/
SH256 hash:
fde77ba95771eb9e1e9694c513a022a6b738fe0fc99bb20aaedc66a250db89db
MD5 hash:
00a358d59a96aaa1c4874f0c678bb566
SHA1 hash:
ad263cdb73d97ed83761abf9dcc621fe6b60eae2
Link:
https://www.unpac.me/results/7c0b2922-f378-447e-b745-4e9fc7c0c842/
SH256 hash:
3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a
MD5 hash:
6d9ef4a9c32c43a60ca63e4c62a172ad
SHA1 hash:
62fbbe10edc2307122781ed4663f22a66240e02f
Link:
https://www.unpac.me/results/7c0b2922-f378-447e-b745-4e9fc7c0c842/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DoubleBack

Executable exe 3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1579949/
Cape
Cape
https://www.capesandbox.com/analysis/184085/

Comments


Avatar
zbet commented on 2021-08-31 08:50:16 UTC

url : hxxp://103.133.106.199/boi/vbc.exe