MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4611b180e4173882dba3e08aaa44ae28ce14d2f2709b2017082d57bcdecfb352. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4611b180e4173882dba3e08aaa44ae28ce14d2f2709b2017082d57bcdecfb352
SHA3-384 hash: ae7da65e1184150bcbf1560a7c0db912dbe2eca8c905fc24f0c99e93038d563b1fd27726a803cd6d7c9e3e152a03979b
SHA1 hash: 1d90fd2f8120f58aa03563cc2e288c030acbec66
MD5 hash: 006bcb5433c4b41a56237b911c439f16
humanhash: dakota-lion-chicken-emma
File name:Page-2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:801'792 bytes
First seen:2021-09-15 14:57:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 459f402db2809e477a1dda0946703c4f (2 x RemcosRAT, 2 x Formbook, 1 x AveMariaRAT)
ssdeep 24576:e0KXbYUlmM/OwPVPZzKHrCHW2h8DAaTY2kjpPPobRf+0awpxh9aWRZEfhqdrpXeW:eZmMjxVW2h8DAaTY2kjpPPobRf+0awpm
Threatray 9'489 similar samples on MalwareBazaar
TLSH T107058E91A293C972F82E1A3D8CCA76449529FD903FD89C669BF4EE791F342903D1805F
dhash icon fae5d39a443434c4 (2 x RemcosRAT, 2 x Formbook, 1 x AveMariaRAT)
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Page-2.exe
Verdict:
Malicious activity
Analysis date:
2021-09-15 15:01:25 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/dec3bc8b-8508-46a5-a80e-6e443d16c227

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188222/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.22177.15292.14234.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61751ba8db358dd15ed925db/reports/678eaa89-6ddd-4ff9-9adf-cff244ee7e4e/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eea9457d-0830-4080-a57b-d45751dae664
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851521
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483952 Sample: Page-2.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 45 www.youngmuscleboys.com 2->45 47 www.sakuracdn.com 2->47 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 3 other signatures 2->77 11 Page-2.exe 1 17 2->11         started        signatures3 process4 dnsIp5 61 cdn.discordapp.com 162.159.133.233, 443, 49737, 49738 CLOUDFLARENETUS United States 11->61 43 C:\Users\Public\Libraries\Mxucrpvt.exe, PE32 11->43 dropped 97 Writes to foreign memory regions 11->97 99 Allocates memory in foreign processes 11->99 101 Creates a thread in another existing process (thread injection) 11->101 103 Injects a PE file into a foreign processes 11->103 16 DpiScaling.exe 11->16         started        file6 signatures7 process8 signatures9 63 Modifies the context of a thread in another process (thread injection) 16->63 65 Maps a DLL or memory area into another process 16->65 67 Sample uses process hollowing technique 16->67 69 2 other signatures 16->69 19 explorer.exe 4 5 16->19 injected process10 dnsIp11 49 myeasymoney.online 198.54.126.36, 49786, 80 NAMECHEAP-NETUS United States 19->49 51 www.rosewebdev.xyz 103.3.2.61, 49787, 80 BIT-ISLEEquinixJpapanEnterpriseKKJP Japan 19->51 53 2 other IPs or domains 19->53 79 System process connects to network (likely due to code injection or exploit) 19->79 81 Performs DNS queries to domains with low reputation 19->81 23 Mxucrpvt.exe 13 19->23         started        27 Mxucrpvt.exe 15 19->27         started        29 msiexec.exe 19->29         started        signatures12 process13 dnsIp14 55 cdn.discordapp.com 23->55 85 Writes to foreign memory regions 23->85 87 Allocates memory in foreign processes 23->87 89 Creates a thread in another existing process (thread injection) 23->89 31 dialer.exe 23->31         started        57 162.159.135.233, 443, 49746 CLOUDFLARENETUS United States 27->57 59 cdn.discordapp.com 27->59 91 Injects a PE file into a foreign processes 27->91 34 DpiScaling.exe 27->34         started        93 Modifies the context of a thread in another process (thread injection) 29->93 95 Maps a DLL or memory area into another process 29->95 36 cmd.exe 1 29->36         started        signatures15 process16 signatures17 105 Uses netsh to modify the Windows network and firewall settings 31->105 107 Modifies the context of a thread in another process (thread injection) 31->107 109 Maps a DLL or memory area into another process 31->109 111 2 other signatures 31->111 38 netsh.exe 31->38         started        41 conhost.exe 36->41         started        process18 signatures19 83 Tries to detect virtualization through RDTSC time measurements 38->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4611b180e4173882dba3e08aaa44ae28ce14d2f2709b2017082d57bcdecfb352/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 14:58:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyi3dahec44ifw5d4cfkurfofdhbjuxsocnsafyifvl3zxwpwnja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ab52bac5850518b5e948ea170b9d5b9f7e2aca962e4ed99d171085cdf970e19
Formbook
3f383c683795d277510e0fb4c806ae17bfb33dd6ff875b66c159068e58c28818
Formbook
4105711ebff133af5304052a1f66966be4115636d707ff6b20e784af2bddda23
Formbook
4b6fb9eac1ea52e013bfb4061a1232fe0d145bc9e260df9bd0d76b1a31be78bf
Formbook
a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26
Formbook
a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
Formbook
c51d0fcb5c1fe7fdd146d5216ad3108fe0ad9baba0fda491a9b7a4f4a33b8801
Formbook
cfdb27a9ff39bd1aa5a0a43fe6e272c269a311f5748d8a13b2e705f7d66f16bd
Formbook
+ 9'479 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:qcrn loader persistence rat suricata
Link:
https://tria.ge/reports/210915-sb6nzsdhdp/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.creditmark.solutions/qcrn/
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/c0418afd-5502-4779-8943-ed3790506f4f/
SH256 hash:
4611b180e4173882dba3e08aaa44ae28ce14d2f2709b2017082d57bcdecfb352
MD5 hash:
006bcb5433c4b41a56237b911c439f16
SHA1 hash:
1d90fd2f8120f58aa03563cc2e288c030acbec66
Link:
https://www.unpac.me/results/c0418afd-5502-4779-8943-ed3790506f4f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4611b180e417/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4611b180e4173882dba3e08aaa44ae28ce14d2f2709b2017082d57bcdecfb352

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188222/

Comments