MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 438844112d1161774efd0548c7398ead40d3b61423b9c0329d994dc54a681bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	438844112d1161774efd0548c7398ead40d3b61423b9c0329d994dc54a681bde
SHA3-384 hash:	e14b5a61fd05f2c2cf086286b67cdee94d122535ae5bfde10046c803edcc5553759c4a2acd6a30c3881b1fbba5433755
SHA1 hash:	b1202753b1a774249983ac1bca0f1f131c89b6af
MD5 hash:	9f25378bad3a8189597a5f9d420ef70f
humanhash:	purple-cat-happy-johnny
File name:	BBVVCCVVB.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	378'568 bytes
First seen:	2022-01-19 14:26:02 UTC
Last seen:	2022-01-19 16:03:56 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:mDufX7PvzvDyfSNbzhU47FEdSGVS9ZID9khfC3+bLrub2VdB3Zfcpn+1MVoyJPkN:mDufX7PvzWuXFEdSAeSD9jIr5GfqPrQ+
Threatray	12'750 similar samples on MalwareBazaar
TLSH	T1A884ECF9E7E34693F8315A36CB91433461327EC9A4E45DF645C8BA2C4E302DE921E96C
File icon (PE):
dhash icon	31f0c0b2b2c0f071 (8 x Formbook, 7 x AgentTesla, 4 x AsyncRAT)
Reporter	malwarelabnet
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/220654/

Detection(s):

SecuriteInfo.com.generic.ml.2741.4583.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/61e81f860f8c757253ccaf00/reports/adbd5c18-6ecd-4968-b984-cac84057b660/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6be2963-6bd6-4b0a-ae9d-a9151fa67f36

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/923508

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/438844112d1161774efd0548c7398ead40d3b61423b9c0329d994dc54a681bde/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-19 09:11:33 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 28 (46.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ioeeiejncfqxotx5avemoomovvanhnqueo44amu5tfg4kstidppa._file

Verdict:

malicious

Label(s):

formbook

Formbook

230f53c0367ccdf77ff1f665ea66fcb2e6bb18c999b798980d8e0c9c19421eb3

Formbook

7f4888239060a411b5a521d19e88bb1158189634f764383c2c2fc0bb84e01169

Formbook

9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908

Formbook

b24fe0dd0ec4d61ac6903f6579d59dcffd17d0e002c96803a551aa3ab17367ef

Formbook

d277fc7f7001598fc7730b3bfec96ce2749f616d64fe20bcd403a599b1bc7c2c

Formbook

d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35

Formbook

f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363

Formbook

fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc

Formbook

+ 12'740 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:be4o loader rat

Link:

https://tria.ge/reports/220119-rrwchsafc9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

438844112d1161774efd0548c7398ead40d3b61423b9c0329d994dc54a681bde

MD5 hash:

9f25378bad3a8189597a5f9d420ef70f

SHA1 hash:

b1202753b1a774249983ac1bca0f1f131c89b6af

Link:

https://www.unpac.me/results/fdcfe112-305d-47a0-83eb-0171a369e6d3/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/438844112d11/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/438844112d1161774efd0548c7398ead40d3b61423b9c0329d994dc54a681bde

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/220654/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample