MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4841307c8072c7aa013a5b090f7b3ee0ad2af6ad9212781edd02806b4894239e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4841307c8072c7aa013a5b090f7b3ee0ad2af6ad9212781edd02806b4894239e
SHA3-384 hash: 26d559439e316c9fa32e95b2835779059d0ca98808fd35f1d2e27717f340c62cac42c2c5af7507c828eb2ca4b3c7853a
SHA1 hash: e98a8817b1f6c664a80a0c66f3f88ff63a5b0157
MD5 hash: 5353b45c9539a13e90412b00cffd5a5a
humanhash: ten-seventeen-edward-golf
File name:vbc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:709'632 bytes
First seen:2021-08-30 14:06:24 UTC
Last seen:2021-08-30 15:37:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 12288:4Xe9PPlowWX0t6mOQwg1Qd15CcYk0We12Cua6K0EAYdKq5YNMdd3SVV9fXc0HYky:1hloDX0XOf4oCursAcKWdoXc0HYkraUs
Threatray 9'913 similar samples on MalwareBazaar
TLSH T144E4013D433C8657E209F734C9D1E63D46484A0521E1E3C0FA81ADAEBD9DB58E9C22E7
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2021-08-30 14:13:25 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/8de8e03d-7417-4884-b098-6c5da17825ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183799/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware2.8347.12829.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Sending a UDP request
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48d069c8-ca08-4f3f-8130-412eb94f41b4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841632
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474061 Sample: vbc.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 30 www.phk0.com 2->30 32 expired.namebright.com 2->32 34 cdl-lb-1356093980.us-east-1.elb.amazonaws.com 2->34 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 6 other signatures 2->50 9 vbc.exe 15 2->9         started        signatures3 process4 dnsIp5 40 a.tmp.ninja 198.251.89.86, 443, 49699 PONYNETUS United States 9->40 58 Writes to foreign memory regions 9->58 60 Maps a DLL or memory area into another process 9->60 13 svchost.exe 9->13         started        signatures6 process7 signatures8 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Maps a DLL or memory area into another process 13->64 66 Sample uses process hollowing technique 13->66 68 2 other signatures 13->68 16 explorer.exe 13->16 injected process9 dnsIp10 24 www.gofshoes.com 165.231.3.186, 80 JINGYUNEU Seychelles 16->24 26 nest-estudio.com 200.58.110.234, 49721, 80 DattateccomAR Argentina 16->26 28 9 other IPs or domains 16->28 42 System process connects to network (likely due to code injection or exploit) 16->42 20 wlanext.exe 12 16->20         started        signatures11 process12 dnsIp13 36 www.gofshoes.com 20->36 38 192.168.2.1 unknown unknown 20->38 52 Modifies the context of a thread in another process (thread injection) 20->52 54 Maps a DLL or memory area into another process 20->54 56 Tries to detect virtualization through RDTSC time measurements 20->56 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4841307c8072c7aa013a5b090f7b3ee0ad2af6ad9212781edd02806b4894239e/
Threat name:
Win32.Trojan.Auzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 12:38:05 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07f0dc41af2d35f2cdddc5e1d2e38b49db0dbfa7a80840633206c77002d019c8
Formbook
33266e265b99fe460926af991d5451a14448e9766a42e3f0b9b2f9256c3b2490
Formbook
72320946e28ee9117b85cb1a83e5e122c3938e4a79c9be1551595103cb2c311a
Formbook
7f3487008181899cb240230130ea395a1b4a925a0fcd216dfdced242e5495deb
Formbook
8bc80b212b0e625722edb58fa22d6a8e56ad344ecddc9e8ba18e740af7f20db9
Formbook
94ab46851c076f66017869f7ac4a50f9225e688d894010110fcd4839f138b949
Formbook
+ 9'903 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:att3 loader rat suricata upx
Link:
https://tria.ge/reports/210830-6e2923lcpe/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.travelscappadocia.com/att3/
Unpacked files
SH256 hash:
50f45ac535035db26548293a8bcb18d24e525f18cbc301ee295e8c8890896f42
MD5 hash:
bbb1d4c8cfa2b2f104c90af5a2794a45
SHA1 hash:
055c9e8785800737a8bb676e396af3e68077a5f8
Link:
https://www.unpac.me/results/8d85684c-de8e-4f18-b73b-1ecbbc686caf/
SH256 hash:
4841307c8072c7aa013a5b090f7b3ee0ad2af6ad9212781edd02806b4894239e
MD5 hash:
5353b45c9539a13e90412b00cffd5a5a
SHA1 hash:
e98a8817b1f6c664a80a0c66f3f88ff63a5b0157
Link:
https://www.unpac.me/results/8d85684c-de8e-4f18-b73b-1ecbbc686caf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4841307c8072/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/4841307c8072c7aa013a5b090f7b3ee0ad2af6ad9212781edd02806b4894239e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1577634/
Cape
Cape
https://www.capesandbox.com/analysis/183799/

Comments