MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730
SHA3-384 hash:	6da732f6580ad19e3c4f31ca6b0fe513b73ba591e068b98c18b608baa5be601995574d4f86de75a0acd885af8de79a76
SHA1 hash:	57934ffb0fbe5a2f79e7164b0883430713db02c6
MD5 hash:	15d055f71e370bd9998d39591b3b79c1
humanhash:	ohio-florida-johnny-quiet
File name:	PAYMENT_TT_COPY.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	931'840 bytes
First seen:	2022-03-21 06:52:31 UTC
Last seen:	2022-03-21 07:18:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	950e62f73f5e5b7317bde1e9f4b3b286 (1 x Formbook)
ssdeep	24576:bqdMzLC5KzxOOWKMK7JbxvcMOJDnVinxHCP9iWvjCPH:bq/AfT1OpVinxiP9iswH
Threatray	14'513 similar samples on MalwareBazaar
TLSH	T12315BF23B6905437C13719788C579764962ABF012D78E88A7BE47E4C4FF93A23E38257
File icon (PE):
dhash icon	74e0a089898e84b4 (1 x Formbook, 1 x RemcosRAT)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253301/

Detection(s):

SecuriteInfo.com.Variant.Jaik.53600.29242.22858.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Sending an HTTP GET request

Searching for synchronization primitives

Сreating synchronization primitives

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10018/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe keylogger packed replace.exe

Link:

https://www.filescan.io/uploads/623820d2dfdfa8501cc55fec/reports/71cd1691-cc3f-4231-b38e-2bbca1505866/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec528f6f-114e-4022-9791-fb1b14085c69

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960453

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2022-03-20 20:47:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 27 (70.37%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jfvj7now66yduhp7lgag7zvxj6xwovnjapuc3gmya5u5bcipe4ya._file

Verdict:

malicious

Label(s):

formbook

Formbook

6e0e8d1cb340a26f3e8294c7b07ce486b56afcabfb90b7e20e4331b6384a85ce

Formbook

89ca1ae6afd4451562d33f381d21e085245ebe1047d4a812d818fcf0a2e01393

Formbook

8f6c3613cdccfdb0d7fd02b33e0afc8c13c640d305b2fdc3319135a18e3ca73c

Formbook

988d086b6ca75da2fca905b090c6f20b21749335f7e2ee99d8dab2001d4667e3

Formbook

a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522

Formbook

b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee

Formbook

efdd97e52e2d4a47a66abeb6073c2be21ce056da12256a2f74a5e9c6a8fe1916

Formbook

fb98f0f50c30ffdacfa3ea67a2990fa5ec2ee2646dc2226179f8589aec41f5d1

Formbook

+ 14'503 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:aipc loader persistence rat suricata

Link:

https://tria.ge/reports/220321-hnmrjaaadk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

0366505ae590dc33114a827585fa0518183afba8d7d6213756fa04bf0bbd0eae

MD5 hash:

6356edc54e13e057e6512be98d3abf66

SHA1 hash:

d383382bc9efd4bdcaf122ff58ad4c17412fc62d

Link:

https://www.unpac.me/results/c41462b9-8ea1-4f70-a455-87518a07a244/

SH256 hash:

ca2ce40cb878ee57a487ee26e86a6d5be9996171f32d8eea12f19f974bd6dcb8

MD5 hash:

1f2c2df0c24a74f49c5b37a45a92f826

SHA1 hash:

915f340b525a5e4cd5f3aa380c747a925ad1732d

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/c41462b9-8ea1-4f70-a455-87518a07a244/

Parent samples :

8f6c3613cdccfdb0d7fd02b33e0afc8c13c640d305b2fdc3319135a18e3ca73c
496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730
6171e04c14e21039e5d518ea5b1129a09ac09d23f8c8169da89ba5fc7e816a35
fb8a339c0426e7443a8a557a8db6745d4510abe1086a0ecad45493bbcab97fca
4ed75b8466a537951e39fcf6a8a024701d41c6ff3be98153dcc81dbff6a75756
f443e1a292f282bb4eefcb9072d2ad429fd5d10983732f8c0b23b1f607e63314
1359549cb60ef5ca5fca53dcc5a47d9552fd5e24afe09ef563f18051417fc4ac
df451e4553398ff8f82e6f516f7bd9b04fb8ea925612f2ab95b98284abb228f7
63f565a5108d757c36e565bd6f4d2ea6410445569d0ecbc70b9c33ba4115f0f8
00d73f1d61efc0d907030191c3953dd239de9aded5c6cc4029262127ce1e209e
fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a
566804eeaa9725faf35958d6bd0c12ec0715950881d260b6815618fc399f74c5
10cec299494a6aa98989e015fb80ffa0262912a4c2f52d57222fd4e9277e59cb
4860d96e25e9ffa5a288ee4ab81dbda67a521786b2abd2b7a91a3b37e863fe58
a1e618daaaa3133d466df43f3b43ff6b095deb8d2c010f5e35e592800eebc87b
f58399e122dc517bb6594d46903c8ea5f3a913feab06e3038f4a78760bb63ce6
88f2a0b582807e7cb8dce67a8bd81760c0f7f2e6329062c256cb7fe7ec7f3221
a6ccc05556ccbb60a723a57a8a584cc150e2f4819ef7b11c76e947e84dff0e10
a9a86b379236a699c4a6da12df755787d31a8c318e0fb79bfd240896a61f2a51
ba08e639ff6481a49493f7b2c7f5e56500960a32970e29cfdcec98689a3e3451
f29af471bd6ae227e1937769b3bc2341a5906732374a25137ab6d8715bedc874
6a870d79774d97f41d243d912d16c0079b923c64931ad7a93fbf303b0427ee36
4e4e661714c95139dea6c17509411aabe685fa5feada011a232fef5c04244aaf
a6bafb2bb8dc44d9fff66e3301c27fe77c36dde8d0a8a5c95779b2b8770c33f8
fb67e8ad570d57edca0baa8f47ce75a50eedb5df3af97cd141aeb508b8409f3e
a0d70aef1803b9aad25507304eaba337c45d2474dcddd5e52bcb1095087775c7
8f5f58b0b0e95605ad5e5324a75277d25590a13dd9b4e0fb05505b815833a2db
805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea
cb8a598ca7d108efe4e56865bd748cb586b06c2667e5118ffbc22dff3f741648
f4a406b6b21db8b516e579643929b753453ebb4604cc799ec69f712fd7ba42d9
8dfee94c273148e304ce65b2174c1bcf211e31b9fb7074bb03069c831a4b119a
db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4
54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085
1521b3679443397b8a953666ff6e81b4650a4c3e731bd0ae5c057a29cd238332
e9e0c366653836804dbd66fa13dc4909cb186a2117764679e1e46f29dc9500bc
bf7843608d1b1c3fee60bf8fd4a9410047c8ef059ed1e55e018da081670159c5
01e55c453fc19c5df2c53fa3e1ddf9bc8f8af5ed23d361f3bc30df2e913072a1
a3792b703dde1aa5a935183c6696ce91cdea54579e9045b55848df91e6b312f9
d3bc2b767f795b5fc0859a8a5d3efacb8150a9c272d89701c164d3f703e15ba1
63fef1355c2426329defba3c5fc037b68085c45196ab8bd7ff2991b5dcfc80c0
1e7717a2d798ca288276e378b76ee35a7cdd11e0d32ed32f33670163a08c390c
9d42b1b9280301d54b45752d046405be7e1a632de78723aa46cb20c1cc43c801
204e96b879210c8e42455d3670b69e7c2408bb65324b8243346803ef24af6f9d
1755742f318f26db4bd9a258426cf22e90b27c2dd67e67fcf662659bce8847f0
927dde2c104b2a0d38a5d8c01f2aa5a16a049a19ce3e644a5adedfd670286e57
464fb0b39e6e803f8e032a0380fa66babe20032affda8b5dbf0f8fd687526443
e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd
66be852b20b6210134ace4c51802bc9fe3aba2ef95ecb31940066a11dfe57c34
e11e9572f2bc772cb5858c427326c4408520d1eb0f62ed2c9069c3c3dc710a01
f94b77c7de3e47949556c797e2fac84ada108a52ea67a57d9658fe9cc149b148
9380f842781eeb483f61572a8a327221cddc6402ce15807dd6746c31d40c3bb4
56958cbd9007cf88fbf7bbe0ab8cdd745af7c3cb43f495cf12ef37cace388bcb
710092a3d3733568c12c36e742da685e70ac3aeb9a851974c6b07a3d5f1d74c7
b90122d45b3e426cdf4343cc47fd486e67d4d2fe861f6a686f4d29919a327ed3
ed26cf7c1e212b911017851bdd62dbddd9ebeaabc1a7c39a85780cfe2159a66b
15a3f360c7768d11c783c454207c4a278c0855091901dbc985074a8e3b0c68b7
652eb4b75ead907220dc496b91ae07adbbe0e542f6765dfb57c802cdf4ecf23c
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
736a64dd3a9f74117c2e3ed828599c5aa5844146cf75b3a67d7c775bee0df90c
8a032d84d6da1a5b4afb83c4b9cd9be1fbebb29f3933a09eedc5955c899b1fbf
c16b9319edf591f4b75c3b69e09451de772816ed5a7915c9112bb8dd14e4aea3
e9b9b1c8e972c4882a540641d04979d3c7d6c762ee64707a1a2b147d06a43326
bff9f8e4fb678a405e05a729c9649fb5097ecb4c4a02a87ace28401ad22072fc
ab6089eaf0b6e157fd74eb677bdd1e457cbbe9cc1b97699dc7e8dab7989eab2b
99e39ef9a5267ed9790fbef614fa3a0054025c1cb866295e9e320bc95b128280

SH256 hash:

496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730

MD5 hash:

15d055f71e370bd9998d39591b3b79c1

SHA1 hash:

57934ffb0fbe5a2f79e7164b0883430713db02c6

Link:

https://www.unpac.me/results/c41462b9-8ea1-4f70-a455-87518a07a244/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/496a9fb5d6f7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/253301/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample