MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 433494d21eabe777d1947da83d6281e5ac35bf98eea4791fcebf5e1561723384. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 433494d21eabe777d1947da83d6281e5ac35bf98eea4791fcebf5e1561723384
SHA3-384 hash: 181ababd25b5f547f7a8a4d25c69fa0a66af26dfa6ddc06fd2368a69a794b6b586cb7f0bc4e317cdb15c907316eaa708
SHA1 hash: 847997208218185f757555f8c2fc15fc4b180f36
MD5 hash: f7058072591bbc7032cc0daedbccbf85
humanhash: berlin-papa-montana-north
File name:f7058072591bbc7032cc0daedbccbf85
Download: download sample
Signature Formbook
Create hunting rule
File size:463'298 bytes
First seen:2021-11-11 11:23:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a64c6e908e2c83802822128ba8ce8ade (2 x Formbook)
ssdeep 6144:vBMYXoufOfAZ/8tbayAZIxS6YnJRrQTW5Px9xxVjIkgk9cEPIbdZGeWeXI:vBMYGfAy/YnJgabRb9LgbWehI
Threatray 11'097 similar samples on MalwareBazaar
TLSH T172A49D13A7A45426E9F3ECF20D7669B578E4BDA118708B5FA10478ED1C31B83B4E931B
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204958/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37993076.22544.11215.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/618cfd58dec3347825a1f575/reports/69e93ce9-7a19-4d02-8301-9c6206e15177/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d8d402e-3ce0-4abd-bf4d-ca7327f1791c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887407
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 519880 Sample: HB8aERmVAq Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Potential malicious icon found 2->33 35 Found malware configuration 2->35 37 5 other signatures 2->37 9 HB8aERmVAq.exe 2->9         started        process3 signatures4 39 Tries to detect virtualization through RDTSC time measurements 9->39 41 Injects a PE file into a foreign processes 9->41 12 HB8aERmVAq.exe 9->12         started        process5 signatures6 43 Modifies the context of a thread in another process (thread injection) 12->43 45 Maps a DLL or memory area into another process 12->45 47 Sample uses process hollowing technique 12->47 49 Queues an APC in another process (thread injection) 12->49 15 cmd.exe 12->15         started        18 explorer.exe 12->18 injected process7 dnsIp8 51 Self deletion via cmd delete 15->51 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Tries to detect virtualization through RDTSC time measurements 15->57 21 cmd.exe 1 15->21         started        25 obatkuatsemarang.xyz 103.253.212.248, 49787, 80 RUMAHWEB-AS-IDRumahwebIndonesiaCVID Indonesia 18->25 27 banahinvestments.com 38.143.25.232, 49816, 80 GIGSGIGSCLOUD-AS-APGigsGigsNetworkServicesHK United States 18->27 29 11 other IPs or domains 18->29 59 System process connects to network (likely due to code injection or exploit) 18->59 61 Performs DNS queries to domains with low reputation 18->61 signatures9 process10 process11 23 conhost.exe 21->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/433494d21eabe777d1947da83d6281e5ac35bf98eea4791fcebf5e1561723384/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 11:24:09 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
115716164b2092df207c750d11a2b4ce05bee204b7f21f1f62d93a5b7d78afa1
Formbook
222c8a0ce49171c3bb93631e7001bb152ad05fa4ba13437a173f1d0dd9fd0a4e
Formbook
2f2831bdecd1f925134fd944fc57f84b76ffe872e01c66f3662f1f9194a4b362
Formbook
31accabae2032a0fda8dd449182167521360e258df6ebd2316130399d910e990
Formbook
5852e0b1479d914e16a2f1cf21d61ff4e1f3d35b6fa5dbcf0055cfc2c9a89936
Formbook
b9dbb2677a8f3458f8d18b61f12be090a7d6e9460f1e8ec423bd5dea483e1459
Formbook
ba22bb07f3ef12877682493d25ed29cf6e2ca6c9ce2bc9527396a7bae00ec578
Formbook
cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a
Formbook
e6d987f72ba6218615e53b91de3d7229e3cc0da6768fd3bdbd758dfb7af4a990
Formbook
f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175
Formbook
+ 11'087 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:fpdi loader rat
Link:
https://tria.ge/reports/211111-nhp8csgcfk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.walletwriter.space/fpdi/
Unpacked files
SH256 hash:
45993229b5148370f59d05e6068d94ddc7aaf8be8640e8a204bcedc8b42ca189
MD5 hash:
8e64a4f11754d9f7df4a44f4dd3510ea
SHA1 hash:
e720f346c00392a44d26f491864e330521ad8d9b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/63952668-81dc-46c1-a60a-004c48f10f2b/
Parent samples :
de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220
bc9c454602a2435a2a4acda216dcc014d4687417d3be4d5ca65a35b05659dafc
96816acd0abd28461e4c67cc569fbb5546caae7a0756668f0031109a8725b9a1
433494d21eabe777d1947da83d6281e5ac35bf98eea4791fcebf5e1561723384
SH256 hash:
433494d21eabe777d1947da83d6281e5ac35bf98eea4791fcebf5e1561723384
MD5 hash:
f7058072591bbc7032cc0daedbccbf85
SHA1 hash:
847997208218185f757555f8c2fc15fc4b180f36
Link:
https://www.unpac.me/results/63952668-81dc-46c1-a60a-004c48f10f2b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/433494d21eab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.69
Link:
https://yomi.yoroi.company/submissions/433494d21eabe777d1947da83d6281e5ac35bf98eea4791fcebf5e1561723384

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 433494d21eabe777d1947da83d6281e5ac35bf98eea4791fcebf5e1561723384

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1776302/
Cape
Cape
https://www.capesandbox.com/analysis/204958/

Comments


Avatar
zbet commented on 2021-11-11 11:23:43 UTC

url : hxxp://198.12.127.139/1113/vbc.exe