MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a3e81cad41774501120af4bc6e2779000903f0effe27a0745d68f3576f832db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a3e81cad41774501120af4bc6e2779000903f0effe27a0745d68f3576f832db
SHA3-384 hash: 0ed75efc274631c61a9ba962599aae3a49509097254773dae8107f2546eb193c3284da0369b7c1e35725b495e6b1768c
SHA1 hash: 3cdc91d076d16e6ec2db61d29827459038dec1a5
MD5 hash: ccc1bc7b37600fb5ecb943ddccbd6670
humanhash: table-black-september-foxtrot
File name:SecuriteInfo.com.Trojan.MSIL.Agent.EXS.12155.18278
Download: download sample
Signature Formbook
Create hunting rule
File size:1'110'016 bytes
First seen:2021-04-26 11:41:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:+lag9fmf/nEAOo5xQ3EXUVtW1/o5ZfAElqvrKQ:k9mfPEvo5x7X4tMQfflBQ
Threatray 4'852 similar samples on MalwareBazaar
TLSH 19350120A2A49B95E07D6339C130050087F5FD2BD737D7AEBEC9B0EA1A76B414656B23
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.MSIL.Agent.EXS.12155.18278
Verdict:
Malicious activity
Analysis date:
2021-04-26 11:43:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/25d7428a-365b-4a80-9dc7-7ec086e6e0c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144324/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Agent.EXS.12155.18278.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697848
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4a3e81cad41774501120af4bc6e2779000903f0effe27a0745d68f3576f832db/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 09:21:33 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
298b7204317915aa463fecd43ee99abbb9020e993dc0ffdcc5e382d0f590a7b8
Formbook
3488d309b21afbc3b481320bcf1209908813e2eb8a63df772f740426034b9958
Formbook
432dc27473a2ca5168e30969aab3359bb01f5936babc35811f336bcc3f195914
Formbook
5397f0168be76c7e5efee936d341eb359b9015af5e77631129dc0664105e9259
Formbook
5b7770f02c562dffdbe0cd638e288adba8f340c7231ef30fa2860b7f4b9dfa80
Formbook
64c5f02d627f750a5b60a196ddd53fc03f6bf632e7643cf996effaed8981e05d
Formbook
7ec78d6c2c919a22185cb0000f2e273d66019b8409a3ca47c819d44cedead22e
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
c9afe6904407e9b60e73edf93efbd932b6725f0f4f33306117ffc9854c21cae2
Formbook
d9f577793aa65b5e41af83ce7a258fd4dee58fc974f5af5952efc137cabbd5a2
Formbook
+ 4'842 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210426-dfehfmecp6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.grabacigar.com/hte6/
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/163270a3-6b6f-41e2-a27d-9e6edbe7bb65/
SH256 hash:
4a3e81cad41774501120af4bc6e2779000903f0effe27a0745d68f3576f832db
MD5 hash:
ccc1bc7b37600fb5ecb943ddccbd6670
SHA1 hash:
3cdc91d076d16e6ec2db61d29827459038dec1a5
Link:
https://www.unpac.me/results/163270a3-6b6f-41e2-a27d-9e6edbe7bb65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a3e81cad41774501120af4bc6e2779000903f0effe27a0745d68f3576f832db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4a3e81cad41774501120af4bc6e2779000903f0effe27a0745d68f3576f832db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1170317/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/144324/

Comments