MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50b80876f6d2a05b4bd054c3207319b11b2518ae4ef3f0193027356e26f856e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	50b80876f6d2a05b4bd054c3207319b11b2518ae4ef3f0193027356e26f856e3
SHA3-384 hash:	6a4aaf3dec712cebbd3ababf72372b22f63aadd62337c46a7b191879a917a826e01285b31f323c99b92c1279337317bc
SHA1 hash:	46c043c9d659aeb0c59d84462429a69acbf3168a
MD5 hash:	e24edf75d66ebc56d83e2c94cb885c02
humanhash:	floor-winter-tennis-coffee
File name:	e24edf75d66ebc56d83e2c94cb885c02.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	925'696 bytes
First seen:	2021-08-24 06:39:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:IDcsGI/cWQA889lMOlC8sZLsAqxqj+EUeKDWH+JBhlUim9zzTAuV2EObbq:IcAhlPTXAF+EUeKMGBnUj9zzTAS
Threatray	8'313 similar samples on MalwareBazaar
TLSH	T1E7158C306389C294EC1E8EF0167CF7A102F235E7B6C5CD6E16DA720C8E5E9D16A0765B
dhash icon	c8e4c2d1f5349c09 (15 x AgentTesla, 12 x Formbook, 8 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e24edf75d66ebc56d83e2c94cb885c02.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-24 06:44:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/41995abb-cd8f-4b50-a007-ffaf0950f832

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/181758/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.DVA.genEldorado.5319.11215.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6950f7d8-ddf2-4a7b-a20c-26c410f3ce17

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/838007

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/50b80876f6d2a05b4bd054c3207319b11b2518ae4ef3f0193027356e26f856e3/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-08-24 06:40:09 UTC

AV detection:

12 of 46 (26.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kc4aq5xw2kqfws6qktbsa4yzwenskgfoj3z7agjqe42w4jxyk3rq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1086e2faa19287c271b669be3118a0509f3547cbe638e7f783d0c691be084be8

Formbook

28a0ad307023870bf0337867f6ef3f75fbb74bb71d768db0515c96d8d8c6d787

Formbook

4b8221cd0f4ae01e9685557d911ab4b2f3c9c60086fe5e89901194df390974f3

Formbook

511a94f3465fb39788f2c9a3c741b2f233ad6ebd6e47ab1225a1b8f34a463747

Formbook

5a1b75ac98b97b8d336bc39cfe1af7670da83ef462db07b134014aa828652a70

Formbook

73ba539a238da72c6f7bd2a0e528db1de3fdd6a1d6217613229c017eb758d4c6

Formbook

8fd4cf94ee8683475a5fa775b37afeaeef36e4791fd1e3ecfde74cfaaf498106

Formbook

c070fb4fd74f3cb1b4b739c8b80ea499734a7e9859ff3a0f5cd5a51ac4e0ca7e

Formbook

c422b04b5177a83b94f15e8bd6b8eca2e7e91a0c082b5035a7aa4b475e38688c

Formbook

+ 8'303 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:wufn loader rat

Link:

https://tria.ge/reports/210824-v5qbn3wgc2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.gaigoilaocai.com/wufn/

Unpacked files

SH256 hash:

4a548a1939677df39a2bfb4a4ac12d0ab834422db398ff76da29d985d60215f6

MD5 hash:

db1e490c36ce5a4ac5e867854ab97ed9

SHA1 hash:

f7cdf3aad88d0ab1fd919125fe67f759f50d480a

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/b0cbfca7-1ffb-4f96-8268-7789b84d978f/

Parent samples :

8fd4cf94ee8683475a5fa775b37afeaeef36e4791fd1e3ecfde74cfaaf498106
28a0ad307023870bf0337867f6ef3f75fbb74bb71d768db0515c96d8d8c6d787
c422b04b5177a83b94f15e8bd6b8eca2e7e91a0c082b5035a7aa4b475e38688c
d0f6f28c586b78dfbc7d4e6c277c20761c9db38e0cd059807be5252b52d10660
ed1a7345c9e845ed31646e774cf4205e24b4a6bced4f3231929b49d857ecdf85
15dea504a6e8e75ff2177e31463ef948f854870dcd85c4d824b96e5d447e8ed4
68a5258c5c468efc0102b57b21cf9b641032d37746f510b2876d93a3271b10f2
9f64df73b619cd708696983b9eb2dea834a4e6bf62128e28adb4d8d7b2f8143f
94ec59e8f70de9f2fc9a4774fc7ed32a7a0495115a813537f77c9aeb505a5bc4
1086e2faa19287c271b669be3118a0509f3547cbe638e7f783d0c691be084be8
24f5b6729bb4de4dfa691da018caf46ab4fdb01d08fd59d78422f67d833d7167
c070fb4fd74f3cb1b4b739c8b80ea499734a7e9859ff3a0f5cd5a51ac4e0ca7e
93986eac8652157b41ac4464bed7584c6b0c04a3fcdd8bcda47592df69fee3ba
9445483350a3ed0479eed69073869e73b7837327bade374605b841a560a6ee70
ed1f6d30d9c3d855c15d37ad9ca2e2103ee55944d0654e500e247b0607b4096b
8189bdd4ee5ee54aa137e1bf9071a1cef9ed2ae1a6e88ad70817de3530b24545
574935899092cf394cbec27200bacb9e372d2e9c299d8ed91705d29fe85465c8
1e465b759dc6a6ba3993eb61557f5e7740744f1d9ca55f0a185d1ea4d8b8e30b
e3dc15f319a357a829ca2a4592287759e039a3f556bb47c13da25aee27ce3b6a
4b8221cd0f4ae01e9685557d911ab4b2f3c9c60086fe5e89901194df390974f3
39e07d983dda2437d04b37965671e84be2116f882c7c3a689ed137c8e2a1e10a
df51db89a51c233888574b864d8217a2cb900eb0711cb354a5383ecbde16b25f
511a94f3465fb39788f2c9a3c741b2f233ad6ebd6e47ab1225a1b8f34a463747
e07fbf3b9adba7e4aceb5cc6804c0002ee01c000d4e67ff3227f59eb9949c80e
4d8f0613e6c1c51cc03a64477a407ff9aee81531a4e3e0ad0c6ac6ef7efed169
9c667699c6643d42dd1264b3657141bf3b23b56f47e527e33ae83030d937cb5a
6193e9579a45f4b4204cee71e070e1bcf46532a5378ac3156ec7684f9a6134a1
835cf0393c0d695629ae18ef8e41b28a75dc0df98d8572f77394ddc5b8e0ec16
5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b
8402867c8ded316ffb97af7aaab3fb6cea74a31bbcf4742e614f927d98b84914
00011cb5a8a25fa0000dcd7a0b057cc8fa119323e3d4b68b4f596b07eca6bb42
73ba539a238da72c6f7bd2a0e528db1de3fdd6a1d6217613229c017eb758d4c6
a57f84d7e89cc76408c67fbcc2c8e3c03bf98a8daa93209f3650ebffa09faabb
fbe3eac8deb8b145ad8ac555e27cef7d1fad66d2472f2a36a7d944cb11702520
5a1b75ac98b97b8d336bc39cfe1af7670da83ef462db07b134014aa828652a70
001a2541de77dc468f7986948da56b03dad2f57c59b77142451bd4c9bef8f8d0
f8b0b072a061719895c7fba405b3ff7483d4fe796e3fbb402de371d9cbdd3fcf
a28c1aa7b9aae861040aea6d14c8d2f860101502a18f7d8d8dc7592fde73a31a
50b80876f6d2a05b4bd054c3207319b11b2518ae4ef3f0193027356e26f856e3
8e3f34bcbcdf3fbdfda09eeb573867c7a92c97f1995db678a8d67945ea3ebe5f

SH256 hash:

6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

MD5 hash:

03bde4a82ad64c0f314985232fbca3fa

SHA1 hash:

e8d0b6339e94192eaaca32c812f914e60576dca6

Link:

https://www.unpac.me/results/b0cbfca7-1ffb-4f96-8268-7789b84d978f/

SH256 hash:

e85dbbbf0a5777b482378ad31166401065779675981198d70c86f3e269f80204

MD5 hash:

a38db05d6f383741e030d84885f15ee1

SHA1 hash:

43880196bd7f87f37f306f469dcc5ea02f9024ee

Link:

https://www.unpac.me/results/b0cbfca7-1ffb-4f96-8268-7789b84d978f/

SH256 hash:

50b80876f6d2a05b4bd054c3207319b11b2518ae4ef3f0193027356e26f856e3

MD5 hash:

e24edf75d66ebc56d83e2c94cb885c02

SHA1 hash:

46c043c9d659aeb0c59d84462429a69acbf3168a

Link:

https://www.unpac.me/results/b0cbfca7-1ffb-4f96-8268-7789b84d978f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/50b80876f6d2a05b4bd054c3207319b11b2518ae4ef3f0193027356e26f856e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 50b80876f6d2a05b4bd054c3207319b11b2518ae4ef3f0193027356e26f856e3

(this sample)

Cape

https://www.capesandbox.com/analysis/181758/

URLhaus

https://urlhaus.abuse.ch/url/1557532/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample