MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10
SHA3-384 hash: 73141f6510feafc17def9a17291f38df51346761d8c3298482e9edb1e358483dc8c1e90b9ce8c6d7f0699a35557a7527
SHA1 hash: d91edbe0f109370c41af0163c9ca6c49a9ae533e
MD5 hash: 489955bed03869f71b4f9639f2566905
humanhash: saturn-fillet-idaho-robert
File name:SecuriteInfo.com.Variant.Jaik.44831.27142.27292
Download: download sample
Signature Formbook
Create hunting rule
File size:221'668 bytes
First seen:2021-03-31 08:50:27 UTC
Last seen:2021-03-31 09:43:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 3072:nTs3BxJNmJNV8GhNhDh09Ixfbewvm0C46i0MZA47zb6zDX0at7XO7tXYsne3X4Cd:nAPXGbpG9IxzsMZjzb6P0BdYFX4o
Threatray 4'468 similar samples on MalwareBazaar
TLSH 482412892FF2E03BDA0517F5097B5732F3F6B9102E480A3B97265F6D3D60596D61220E
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Original Invoice-COAU7230734290.xlsx
Verdict:
Malicious activity
Analysis date:
2021-03-31 07:02:41 UTC
Tags:
encrypted exploit CVE-2017-11882 trojan formbook stealer
Link:
https://app.any.run/tasks/4c15f14e-06cd-488e-8526-a376ee1183ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129235/
Detection(s):
SecuriteInfo.com.Variant.Jaik.44831.27142.27292.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660004
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 07:38:56 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ibri2mxpa5dphf6q2qnyhfjq5lre2je52l2birikrwo5ua3uduia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1b1837b1504714c306a023b8488d15e81b939b6394ff511fb619fa38f264622a
Formbook
1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb
Formbook
5e7b6e81d3f73322d73bf013d67f76e211f0e539296e00a53d93585b0c167ba2
Formbook
7095eaf52cf5806f19b13137aa004a72f92cea88fc94c4397dd1f10aa08e8b1a
Formbook
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
Formbook
95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4
Formbook
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Formbook
9cf07e6cbf0321dc63141d5d14b6df920c9c90ee178636def703946324fec78b
Formbook
a3d951fa76fbb0f24540b97767e2d327b9bdb2e6e93721cb3da4ac5370118dbc
Formbook
f711f998297a0d98cb243f6ce2c0ed47271be92cad4ad0aa53cd369fb16c1746
Formbook
+ 4'458 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210331-bbb4ne8p8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.fountainhead410.com/jzvu/
Unpacked files
SH256 hash:
1847ef269c087fa71f83b33235fa1e0de0e9cc6a04ea88dd786c8b04a55f1fb6
MD5 hash:
830800fbc0c5f347f42a15a6457e235d
SHA1 hash:
0491fa011fe03094bd095e12410058c42ed9a222
Link:
https://www.unpac.me/results/2b51aff1-4374-477e-bacd-bf6598f3679c/
SH256 hash:
40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10
MD5 hash:
489955bed03869f71b4f9639f2566905
SHA1 hash:
d91edbe0f109370c41af0163c9ca6c49a9ae533e
Link:
https://www.unpac.me/results/2b51aff1-4374-477e-bacd-bf6598f3679c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1099911/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/129235/

Comments