MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad
SHA3-384 hash: 6824c91ae909915380347289ce6ac9bd5e39222e8af9b800037162ffc7e2aada8e1f6fdba613d0504482bd6fcd205c96
SHA1 hash: 493fae18577cc54d44a94e07bfde9709d9c8c841
MD5 hash: bd7ab8afeb2f2a7037a89ef16a88ab74
humanhash: quiet-twenty-earth-eighteen
File name:Ocxwgtrrxrnbohidoxavjksseafwerivek.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:928'768 bytes
First seen:2022-01-07 13:16:44 UTC
Last seen:2022-01-07 15:24:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0bae89e124c71b810d11db246a642fa6 (2 x Formbook)
ssdeep 12288:82rYPxajxQmavadsF3JqGQKXGD4irUea+EdhhY28fGBA+L93tVOp:8v5u1kadG3Jqy20ir/RWNA093ta
Threatray 12'814 similar samples on MalwareBazaar
TLSH T181157D25A770C4B1C66B9574CC0E42DC552DFE103934F9CB2AE6BCA90F396F8A475B82
File icon (PE):PE icon
dhash icon ece0f3d692d3c4cc (3 x OskiStealer, 3 x RemcosRAT, 2 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ocxwgtrrxrnbohidoxavjksseafwerivek.exe
Verdict:
Malicious activity
Analysis date:
2022-01-07 13:17:48 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/1f47a9e4-2e34-49b7-8141-096fe454ef60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217714/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.26963.23453.19885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook keylogger remcos zusy
Link:
https://www.filescan.io/uploads/61d83d551c0d769df9d59c9b/reports/c9d316f3-90e8-4c0b-8ec6-22140d0711ce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3b60b74-c444-4b6d-861f-c09fb53b2dd0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916824
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549302 Sample: Ocxwgtrrxrnbohidoxavjksseaf... Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 6 other signatures 2->75 10 Ocxwgtrrxrnbohidoxavjksseafwerivek.exe 1 17 2->10         started        process3 dnsIp4 61 vmracg.dm.files.1drv.com 10->61 63 onedrive.live.com 10->63 65 dm-files.fe.1drv.com 10->65 39 C:\Users\user\Contacts\Ocxwgtrrxr.exe, PE32 10->39 dropped 41 C:\Users\...\Ocxwgtrrxr.exe:Zone.Identifier, ASCII 10->41 dropped 97 Writes to foreign memory regions 10->97 99 Allocates memory in foreign processes 10->99 101 Creates a thread in another existing process (thread injection) 10->101 103 Injects a PE file into a foreign processes 10->103 15 DpiScaling.exe 10->15         started        file5 signatures6 process7 signatures8 105 Modifies the context of a thread in another process (thread injection) 15->105 107 Maps a DLL or memory area into another process 15->107 109 Sample uses process hollowing technique 15->109 111 2 other signatures 15->111 18 explorer.exe 4 2 15->18 injected process9 dnsIp10 43 sejinart.net 110.45.145.49, 49826, 49841, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 18->43 45 www.colorecom.com 156.255.206.8, 49831, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->45 47 29 other IPs or domains 18->47 77 System process connects to network (likely due to code injection or exploit) 18->77 79 Performs DNS queries to domains with low reputation 18->79 22 Ocxwgtrrxr.exe 15 18->22         started        26 Ocxwgtrrxr.exe 15 18->26         started        28 rundll32.exe 18->28         started        signatures11 process12 dnsIp13 49 vmracg.dm.files.1drv.com 22->49 51 onedrive.live.com 22->51 53 dm-files.fe.1drv.com 22->53 81 Multi AV Scanner detection for dropped file 22->81 83 Writes to foreign memory regions 22->83 85 Allocates memory in foreign processes 22->85 30 DpiScaling.exe 22->30         started        55 vmracg.dm.files.1drv.com 26->55 57 onedrive.live.com 26->57 59 dm-files.fe.1drv.com 26->59 87 Creates a thread in another existing process (thread injection) 26->87 89 Injects a PE file into a foreign processes 26->89 32 logagent.exe 26->32         started        91 Modifies the context of a thread in another process (thread injection) 28->91 93 Maps a DLL or memory area into another process 28->93 95 Tries to detect virtualization through RDTSC time measurements 28->95 35 cmd.exe 1 28->35         started        signatures14 process15 signatures16 67 Tries to detect virtualization through RDTSC time measurements 32->67 37 conhost.exe 35->37         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 13:17:18 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icrjrsloppsplbncssxiiu6k4o5fmkdqerrnkea6uydzmmcbzgwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19cf4ce7f3aa0cb41dae8a27aa4421dce752bb3e083e8e0daf138bdfc113c7e6
Formbook
204831bda7d04f0905f7bf0c39e45b3772935726d8a436ee9703a19098b37e21
Formbook
230f53c0367ccdf77ff1f665ea66fcb2e6bb18c999b798980d8e0c9c19421eb3
Formbook
36b986f7d277f114be1166140b08a4ddb6300274d6365ea589fe129105445de7
Formbook
6bd5fda97afe76f3d6cc66ffac1350e77256315e151364355af9ee6d56be8ebf
Formbook
6d722da095632d50aa49b4749a4e7db323889aee6fad1ecc2c5dd999e63c645e
Formbook
7206a2aa27d3bb73daca20e7327a3e4cc2f66940e27cda04d3e8440450617596
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
926ce819159cfd0a999440d686f655fe92282024f5b44bae1e2db877a603f447
Formbook
deac58296321ec67026dc3de7275137fbdf1775e28fbd9e4d3bf528be7bc95ff
Formbook
+ 12'804 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:fm6i loader persistence rat
Link:
https://tria.ge/reports/220107-qjdxtscce4/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
5852f167948b3cf3fcd175ed0acc3cd43456ab0aecae4ac68121bde1906bcf39
MD5 hash:
bb66163c0a181098d801f3d6b775f73f
SHA1 hash:
fe4adcf4bf6146cac5b4eb192c99fc0cebba323b
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/573327ec-37ec-490b-adba-38cb6211737c/
Parent samples :
8865c82943ba3a6479fca40222a730e22e3d1cd279c6c6e0915c5c47f893636a
71cf991b9060d1fcefd467162ecfe99c89c47da31d29489e299f7bec73d56a83
dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7
9092a8499f245641da71311b2f4dcafac1b61c30f1f5d5808fed38f5125cbc57
4cdb484aff91fc4c74a8f2750296212dd12af808fee3e01bf9b8d0feafbd8fc1
c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85
40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad
92cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
1dfdb77409e4402860f9a644890b904f68d377cc5f9320828aa320b7e835e207
65c55c73382e84ea8a229ba4c65ce12c956b3e86916e343ed6e933a10735e9b1
84e9426e79655328d7e51384cd16697772d5fa8043ef793e4777ec7e3c38c6d0
778fb400067e1de625dfa7e62e7091cc28e75fc44673562dc193f4b486fdcef0
a84d4b61bab51a5eaf7d9b1a96ab450a5057ddbebb4a38617755b6286d19e9a1
83f6940a0fadd38a9a73e859f46173631822ee985037994c6c55b328721d76bf
70d04c9ec5f8c5f8a5c1cd82ad19eee2ddd26145848bc2ffe90d1b51645cac2e
f31ca1220140f0489ddef71cf10ef3636537422acaefd6dd8d9199a942feb128
e98006424a36e34271488f8a584b535b0bdf1650d2da228ec4c2a94e24ca20bb
a2948f7e3c13f7c9a54e44a6bd601ca6b8a3c2d97b7c8d6b28d1475f0caf81b8
80bee5948290fe93aa9aba9789c364c3e71f4d9039ec68a56dc05a4af7b0a502
ad2910f066744846d0233c9eb6643a71fe1643e5a107646b95c88608cddf1ed8
fdf39d043cc55d6a72b1fe01c9067bb7591d5c379798499148521e6158afeea0
c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d
dbb93c60e5e74632af64452fe9ec5acd788140d0eb3231655a47203e86ef6b55
feb40c343aa65f5f5c0a32443535effa22652067c576416857e4d7280ce85e11
cab5f50e805b3a36e0ea6cf84c40b4b90e372fcd2f3f1024664af5440282d496
SH256 hash:
40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad
MD5 hash:
bd7ab8afeb2f2a7037a89ef16a88ab74
SHA1 hash:
493fae18577cc54d44a94e07bfde9709d9c8c841
Link:
https://www.unpac.me/results/573327ec-37ec-490b-adba-38cb6211737c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/40a298c96e7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/217714/

Comments