MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
SHA3-384 hash: 72ea7c1d12abe4e2a6f21b58fb61b5830bcf7be47d8e12297fd536c7320941f351c85044bfa7707c63eaae80694c6af6
SHA1 hash: 4f832fa9e5856ed0e9c1fae8ee2d95c3f3f302e7
MD5 hash: da4e703a7ba3b91389253c94430182c9
humanhash: idaho-winner-robin-georgia
File name:PO201808143_330542IMG_20200710_0008.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:740'864 bytes
First seen:2021-11-26 12:20:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 01f42bb56bd8196b0da3b3826e73efd5 (4 x Formbook, 1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:HOYMYlxIimj6qr9wMiE+wGFYjA2KY59roDBM6nGplGJY:HOJYMimv+9wGqfKY59cM6GplGJ
Threatray 11'843 similar samples on MalwareBazaar
TLSH T11CF45B5AE7C36038D5671CBEB91E1A509C543E222BCE7C6E1DE57C484F72B927832236
File icon (PE):PE icon
dhash icon 74f0888a8c8880b4 (5 x Formbook, 2 x RemcosRAT, 2 x DBatLoader)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO201808143_330542IMG_20200710_0008.exe
Verdict:
Malicious activity
Analysis date:
2021-11-26 12:22:34 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6d0a41cf-573e-4084-926e-73fd4521ab3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Zusy.408309.14966.9919.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Searching for synchronization primitives
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/61a0d13102c80febc2aa2b80/reports/da663c23-0947-4567-bc86-a5399ac47b01/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d7c37b92-bd71-49ad-bfda-681f9716e182
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896697
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Defender Exclusion
Sigma detected: TrustedPath UAC Bypass Pattern
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529171 Sample: PO201808143_330542IMG_20200... Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 69 cdn.discordapp.com 2->69 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 6 other signatures 2->95 12 PO201808143_330542IMG_20200710_0008.exe 1 25 2->12         started        signatures3 process4 dnsIp5 71 cdn.discordapp.com 162.159.135.233, 443, 49772, 49773 CLOUDFLARENETUS United States 12->71 61 C:\Users\user\Contactsicjrkgu.exe, PE32 12->61 dropped 63 C:\Users\user\Contacts\System32\UKO.bat, ASCII 12->63 dropped 65 C:\Users\user\Contacts\...65ETUTILS.dll, PE32+ 12->65 dropped 67 C:\Users\user\Contacts\...67ETUTILS.EXE, PE32+ 12->67 dropped 107 Writes to foreign memory regions 12->107 109 Allocates memory in foreign processes 12->109 111 Creates a thread in another existing process (thread injection) 12->111 113 Injects a PE file into a foreign processes 12->113 17 cmd.exe 1 12->17         started        20 mobsync.exe 12->20         started        file6 signatures7 process8 signatures9 79 Uses ping.exe to sleep 17->79 81 Uses ping.exe to check the status of other devices and networks 17->81 22 cmd.exe 3 17->22         started        25 conhost.exe 17->25         started        83 Modifies the context of a thread in another process (thread injection) 20->83 85 Maps a DLL or memory area into another process 20->85 87 Tries to detect virtualization through RDTSC time measurements 20->87 27 explorer.exe 2 20->27 injected process10 signatures11 99 Uses ping.exe to sleep 22->99 101 Drops executables to the windows directory (C:\Windows) and starts them 22->101 29 easinvoker.exe 22->29         started        31 PING.EXE 1 22->31         started        34 xcopy.exe 2 22->34         started        42 6 other processes 22->42 37 Eicjrkgu.exe 27->37         started        40 Eicjrkgu.exe 27->40         started        process12 dnsIp13 44 cmd.exe 1 29->44         started        73 127.0.0.1 unknown unknown 31->73 55 C:\Windows \System32\easinvoker.exe, PE32+ 34->55 dropped 97 Multi AV Scanner detection for dropped file 37->97 57 C:\Windows \System32\KDECO.bat, ASCII 42->57 dropped 59 C:\Windows \System3259ETUTILS.dll, PE32+ 42->59 dropped file14 signatures15 process16 signatures17 103 Suspicious powershell command line found 44->103 105 Adds a directory exclusion to Windows Defender 44->105 47 powershell.exe 27 44->47         started        51 conhost.exe 44->51         started        process18 dnsIp19 75 192.168.2.1 unknown unknown 47->75 77 DLL side loading technique detected 47->77 53 conhost.exe 47->53         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 12:21:13 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3sr6qmebinarzuv7c25xub67u5t64dr5xaa3hurnjz2almbo2qq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
Formbook
5d407049f81d3b75bf2d9eb7dc14662f533b1ca37d283e5ef50e001a7ac1f758
Formbook
5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9
Formbook
6c6411e168c6e04022e9314130b25ae03380de6791d6a801f150679fddb64934
Formbook
86df15ac78abc1d224a4249db72d29dcb2979fd0669a15c0d291e47648dc0c1c
Formbook
88c841869430e07bb9b80e52d61d4f013c6bd8753b06807b411a428f09669c33
Formbook
99cdf3421923232c160c5075af3bf8620df65bd59cf99cc341f17a58e1eeb4f2
Formbook
b3bc74c1f3673da08a95775af5f39dd116a249d8a7e597fcd8bb56e07ae3bcd2
Formbook
fcaf8625fb1fa5959b8739045ac7531e3b6368e2276d66cbd04eb608f3614abd
Formbook
+ 11'833 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rh6s loader persistence rat
Link:
https://tria.ge/reports/211126-pjbxssfef6/
Behaviour
Enumerates system info in registry
Gathers network information
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.barkerfamilyenterprises.com/rh6s/
Unpacked files
SH256 hash:
80862d46bdac152572d0faa96c99edb9bcb3d5d3ff5d1d41771f5cb8ad164a2c
MD5 hash:
7c09b28f7639c8b2a033e88db5d9df53
SHA1 hash:
fbcccc3c2d024228a3e1dab743b3912ed8ccbb3c
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/0d05cf97-7d1c-48ed-9e72-bf771cc40b1c/
Parent samples :
e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
62d54d23908b06fb851da8829798a3d82110e0c189a8794f9d7deb9642f1542d
91b5c318543587a212464565a4df06eae2ad2823338389134f06c4409047e18e
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
6c2c4e5bb1275643184f07bd2bce3f51722e3b3e0557fbf0d83c0dc6461c4a5b
2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
SH256 hash:
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
MD5 hash:
da4e703a7ba3b91389253c94430182c9
SHA1 hash:
4f832fa9e5856ed0e9c1fae8ee2d95c3f3f302e7
Link:
https://www.unpac.me/results/0d05cf97-7d1c-48ed-9e72-bf771cc40b1c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/46e51f41840a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment

Comments