MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a
SHA3-384 hash:	63a709b533f7e7a0e14f8acecd128446c723eadac8fff4b77184faa32cfc5d01f4fc0f363828f89622eb52c7c526f140
SHA1 hash:	0265d0de904877a36ae4f5be3432765b1c4a0d7a
MD5 hash:	3a07a113a87ce5b2d08b67eeb9f5a77b
humanhash:	october-kitten-island-hotel
File name:	SKMTC_STOMANAS_7464734648592848Ordengdoc.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	395'961 bytes
First seen:	2021-06-22 12:18:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:HBlL/uEXfsKdbAMsm6qUYTxpSnK1h2jtDVA90+R7y75PX:hf3dbAc6uTxsnK1wxpA90+R7yd/
Threatray	5'977 similar samples on MalwareBazaar
TLSH	A684CFA3F0D396D2E538813B519580631326A93BD1E418C687DFFBFB1877CC8199A867
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SKMTC_STOMANAS_7464734648592848Ordengdoc.exe

Verdict:

Malicious activity

Analysis date:

2021-06-22 12:19:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f48122ea-e3b6-4a7a-b068-9f4b7bbf9555

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/167552/

Detection(s):

SecuriteInfo.com..16680.22658.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/544390b0-fb3d-437f-b1e4-33ed588d556c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/805934

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-22 12:19:10 UTC

AV detection:

13 of 29 (44.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ivgn6j6jjwpeu2nwcwysknrjgizqk76jyqx4ht62wnphcgranffa._file

Verdict:

malicious

Label(s):

formbook

Formbook

18245cb19e63733176ad7ca573d8d92b9a8291d6e8a62dc6af6f1491381bf526

Formbook

1a91deb8d42e066f792fed5e4feb0dbaacdec1a052f516e1287cf9625a8c9684

Formbook

3643c16e7017696ca2809399d3edbf2f7f7298e4ef3246951fac256e86176716

Formbook

6421a877340afab7934556dfd4d8ce52f187df24aa621242e65f3ea14f07c541

Formbook

8bd8e7edfd64f242eec8ebeaf0a473152c0f52de8f0318f8bcacf98326e0405a

Formbook

b2c2371d92995eb349a4d6be53af3c42798af56b94f59adf1d765d2905fd5871

Formbook

bc42a2014018e4644194a651f1a42916d2bd62154adda1e05ed3b5847a50317d

Formbook

c3ce9a925d6648a3fa48d02e7640a0d541435651585f11aa72bf8c66a63522ee

Formbook

f3685a744940da41b0244d007646f33463c59774e8489e7d3f7cf3abc9c8e662

Formbook

+ 5'967 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210622-tftdvq6qne/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.mambomakaya.com/ftgq/

Unpacked files

SH256 hash:

bbc3a0025b214037b27d5667bebcdcfb103c64daafd22745cb47102a6a6ca115

MD5 hash:

46b34b67fa5dc5cc6a1b3d90a9508121

SHA1 hash:

9e84c6bbcf8548cb28f9f5231c295f2d036051b4

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/99cbe90d-3281-4a1e-a073-61200804497b/

Parent samples :

bc42a2014018e4644194a651f1a42916d2bd62154adda1e05ed3b5847a50317d
3643c16e7017696ca2809399d3edbf2f7f7298e4ef3246951fac256e86176716
0b79991d57a301d4cdf1d4cf7234d2ad5afe5a3895e75b9c12d4bd16a385389a
92976a7ee61468fb88761dfa0f9cfdf99b6c6c484ae47e970986acf66926f3a0
454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a
e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989
f515599d9ab7045656d0976c3aa5740feab68f862fa2e339379a1118f8ccba4a
8dec5ed95d3ca077bb1c2695074877a7160f97960df22a119d9f2debfb18dc0b
598a6fc7c9e91a6ce28af2833cb0e6262f28fab605fcd74098fc2edf9510b58f
24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849

SH256 hash:

bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

MD5 hash:

56a321bd011112ec5d8a32b2f6fd3231

SHA1 hash:

df20e3a35a1636de64df5290ae5e4e7572447f78

Link:

https://www.unpac.me/results/99cbe90d-3281-4a1e-a073-61200804497b/

SH256 hash:

454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a

MD5 hash:

3a07a113a87ce5b2d08b67eeb9f5a77b

SHA1 hash:

0265d0de904877a36ae4f5be3432765b1c4a0d7a

Link:

https://www.unpac.me/results/99cbe90d-3281-4a1e-a073-61200804497b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/167552/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample