MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291
SHA3-384 hash:	2c451b7b53033c55c70e2318e89cbd57f812ad2363f6d3c981a9a48ca64b7f2c92a4b0d5539df9f24cccef4e242c2627
SHA1 hash:	84645956d3168cd83d40f18901170480c813a12c
MD5 hash:	30a5be45faf97c1a7eeddf81c369fc4b
humanhash:	arizona-nitrogen-solar-freddie
File name:	30a5be45faf97c1a7eeddf81c369fc4b.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	419'343 bytes
First seen:	2022-02-08 01:44:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:nw82uaAJScHj0N86PENsFJ+y/W97ePrfbuXrGFHvQl0B8tkgb3x+:28YIyg7ePrfbQUPM0B8tZb3x+
Threatray	13'150 similar samples on MalwareBazaar
TLSH	T10294D391204AB769D6150B71BB96D01E4F7B59BAA9C6C10F36D47EFAB7AC00CD30312B
File icon (PE):
dhash icon	30f0e0f0e0f0f030 (22 x Formbook, 12 x AgentTesla, 2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/237377/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6201cb25845a69d7734be032/reports/3cdd305d-f1d4-4134-a661-ef4f86aec37f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/822cda33-bb8f-4b20-8549-6cd6fde9cb9b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/935751

Signature

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291/

Threat name:

Win32.Trojan.Risis

Status:

Malicious

First seen:

2022-02-08 01:45:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 28 (32.14%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

703f4546b4adc3e685275a9840bafac150717c3259f629f6bf9bd8e5d191ad46

Formbook

705bf99df489a6945a540499bc8c6d7b7564d9a255629e326013d4a85bb77a78

Formbook

7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36

Formbook

a42b3919356aa815980faeac0fc6222bd4a2d6f6cc5bdc01c5a5f55014a9c66e

Formbook

dc65156bfa6da463f9eb980c3a551ba0cd494b53a55b3a2e9b41c766ca3c011c

Formbook

f16768c3348ef6a7bde4d734eb1f407fe577d709bca21b0526ded6065be7cc92

Formbook

f777ad0feb1db2da7abb7c793515f7af49d06a7b4fc5904a9da436ccbd59ddc3

Formbook

ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628

Formbook

+ 13'140 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:asus loader rat

Link:

https://tria.ge/reports/220208-b6fbvabgej/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Unpacked files

SH256 hash:

c5b3246a725233d73f21657f0f5388dae9a667146cadb8804db452fc2d5c2e0f

MD5 hash:

630fdc3f8a470aad62789372446fcafc

SHA1 hash:

994e8510356be395674095648cd7f4297f7d767b

Link:

https://www.unpac.me/results/86fc670f-7ed8-4be6-b671-7a9741cbce27/

SH256 hash:

4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291

MD5 hash:

30a5be45faf97c1a7eeddf81c369fc4b

SHA1 hash:

84645956d3168cd83d40f18901170480c813a12c

Link:

https://www.unpac.me/results/86fc670f-7ed8-4be6-b671-7a9741cbce27/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4d1ac5962b58/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291

(this sample)

Cape

https://www.capesandbox.com/analysis/237377/

URLhaus

https://urlhaus.abuse.ch/url/2033766/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2028278/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample