MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
SHA3-384 hash: 454853c974224b1e3f6712c1c958500cb55fcd223b5d0e29c32534d77e3566cbf5a98e5f9fa04c9ca8f7e8a19905562d
SHA1 hash: aad1eed1c53f1d33ab52e13442b036bfeee91f1b
MD5 hash: ff882802d113ed02fa070c496f89d797
humanhash: comet-oxygen-artist-nevada
File name:DWG.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:626'688 bytes
First seen:2021-10-28 05:37:52 UTC
Last seen:2021-10-28 07:24:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4824f327856ec0705e7797356a7405e (2 x Formbook)
ssdeep 12288:N7MTwrEg4nkEo2sH2yefktZkgHAyRsrGGFJr23+sejpAmiL:lMTwrEgskEorogHA0slrsfejc
Threatray 10'843 similar samples on MalwareBazaar
TLSH T1B5D4BF017B78E9E6E2A360754962AD354970E5B02A3F4CC37FC69E4EA9389C01B35F17
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200794/
Detection(s):
SecuriteInfo.com.Variant.Zusy.373465.13140.28098.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/617a3740db358dd15ee21403/reports/100de5b2-974b-4027-8718-29a8c98c5ecf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b8bc425-f5bc-4e4b-b057-41d3db9f66f9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878303
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510733 Sample: DWG.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 34 www.mylyk.net 2->34 36 mylyk.net 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 11 DWG.exe 1 2->11         started        signatures3 process4 signatures5 56 Tries to detect virtualization through RDTSC time measurements 11->56 14 DWG.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.jntycy.com 154.216.113.38, 49814, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->28 30 publiccoins.online 198.187.31.159, 49816, 80 NAMECHEAP-NETUS United States 17->30 32 7 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 svchost.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 00:40:32 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iilp6t5hkmzatjxfbrxqlrjbnofpwrloni5lnns63h6l3pjhkcla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ce4e2f71989e9a0a4aef640b12237135e2be4b037f9cf533ca7925224e9daa8
Formbook
26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495
Formbook
776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
88f9f44e6cb13da79a3967ffa56a9d8c46d8d49623518df5e90c3d4cf72b3b79
Formbook
c18d5baf727358a8635a51fc7cfb4c3f4c90c78abcecf051feb4540323e98746
Formbook
fff77f3852a66a56bad4ec5bc1c1bc2afb0b08b8ea65393384a1ee6917dcb355
Formbook
+ 10'833 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:xzes loader rat
Link:
https://tria.ge/reports/211028-gbqf8ahcf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.elsist.online/xzes/
Unpacked files
SH256 hash:
bd1c1900ac1a6c7a9f52034618fed74b93acbc33332890e7d738a1d90cbc2126
MD5 hash:
18c5bd51dc833a73288d137a9cee7349
SHA1 hash:
c3bf87e4cf4073bd1e252bb7928b48c49e9ac899
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cd4ea44b-7aa1-46f1-864a-f3dfacc4c8a8/
Parent samples :
776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2
4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
38935c02661ece35d0287947cc94f02f5256389e1f47b43f701d01e67ef65d78
ce02bd114270b91b5f1b727ec890ab5e448f22f98e074e791b685d42968c88ca
3913a9784209fd5c73d1b4c31a77d8ba5ecd175c38cf7c1a1378951eee808f34
SH256 hash:
ee405153ac9fd5ae63aa0be3a5421e98492a86661fac15b1fde0bc6070342810
MD5 hash:
d433d089ce28b410cc7282f507ef61fb
SHA1 hash:
6ee3c2eac249840f034e7b4cfbdb9044bb6c741e
Link:
https://www.unpac.me/results/cd4ea44b-7aa1-46f1-864a-f3dfacc4c8a8/
SH256 hash:
4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
MD5 hash:
ff882802d113ed02fa070c496f89d797
SHA1 hash:
aad1eed1c53f1d33ab52e13442b036bfeee91f1b
Link:
https://www.unpac.me/results/cd4ea44b-7aa1-46f1-864a-f3dfacc4c8a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/200794/

Comments