MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
SHA3-384 hash: cb23698de363124f02209bc849d6a168671f32ff5666826fecd43c0dc78e3d728e7c6d9ea28ce4eb27f647ad2a94a416
SHA1 hash: a27cacea537fd0e9c0e0a0013ce43844ae0177d3
MD5 hash: 8af256b6e67e9beacf9449529f45d83d
humanhash: ceiling-nitrogen-pip-butter
File name:8af256b6e67e9beacf9449529f45d83d
Download: download sample
Signature Formbook
Create hunting rule
File size:313'836 bytes
First seen:2022-03-01 09:25:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGi7vD00u0BN0GHWt0Njbl6TNN6HBQ75GUZwqVH9DOvvZTBpDpWFxaBEfQd:/D00u0UU40BJ6TeBQlGUZFchbpo4Jd
Threatray 13'885 similar samples on MalwareBazaar
TLSH T142642257ACC555B3E4318238987BA37BF6FB9BFA01032A5B0798A8553E115D3D72E0C2
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245670/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/621de6b60cd58dbd9259b653/reports/dcf6f76e-cd52-460a-a0c6-6c8052256efa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0909758e-fcbb-4fae-b320-629cb6bac965
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/947988
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 09:26:15 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jb5l44mjohumsqkxsp76bqlcuscdv3vv2rthtan3bpuyh53rb5ha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05af1ccc6696a83c58e46a5347b40959329af79869e9747399befbe97c85104b
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
Formbook
230f53c0367ccdf77ff1f665ea66fcb2e6bb18c999b798980d8e0c9c19421eb3
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
Formbook
751fb21a072dc731a17478bec40fe550f4fc6be13fb6079f38d9fc19b41021cf
Formbook
8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a
Formbook
acf40f9d3eea74324291c55f5ab8d3678e0dcc085581bdd9cf66897f4324bc3c
Formbook
da99d68a728c3a14d186c03c30b551914fe57073f231d334be7955131cb5f921
Formbook
+ 13'875 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rzwo loader rat suricata
Link:
https://tria.ge/reports/220301-ld7kqsbabl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
c6ceb3bbeb4b77c856253bee34ae3e19a235310111e828ee20ca3b879599e230
MD5 hash:
e39f92faf073501abbb52cc23af609fd
SHA1 hash:
3fd13d5c9e9df6cee41048284ec6fe99af7bfc16
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b9e6d8e0-a2b4-4bc3-ae54-fe91f81b11d7/
Parent samples :
1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478
SH256 hash:
6ed89c8100a12826e5d6b6c9f86949e672e735abff00b077f982fa56c0b677b0
MD5 hash:
6127700fb741f1b8402f384b3f53d3da
SHA1 hash:
7f921664966dc8390d3e0ee0a1131e26c8b2afdc
Link:
https://www.unpac.me/results/b9e6d8e0-a2b4-4bc3-ae54-fe91f81b11d7/
SH256 hash:
487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
MD5 hash:
8af256b6e67e9beacf9449529f45d83d
SHA1 hash:
a27cacea537fd0e9c0e0a0013ce43844ae0177d3
Link:
https://www.unpac.me/results/b9e6d8e0-a2b4-4bc3-ae54-fe91f81b11d7/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/487abe718971/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2068328/
Cape
Cape
https://www.capesandbox.com/analysis/245670/

Comments


Avatar
zbet commented on 2022-03-01 09:25:39 UTC

url : hxxp://103.156.91.63/cloud_save/vbc.exe