MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 511cfaacb35df2a07aca55efb2b27b6a557e210cb5ae1d31914336f39fc472e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 511cfaacb35df2a07aca55efb2b27b6a557e210cb5ae1d31914336f39fc472e8
SHA3-384 hash: d7c0ea7046eee37ecf937ff010f91fa82b1312d7d00c8557ae882db6e7bdbfd2c4ca918969b0534ad3985a32d6eb1634
SHA1 hash: e39344f01dcabe5e456e6aee7d71a7e47107d431
MD5 hash: 3571acd11c863c2ba7e140f2c953c631
humanhash: oregon-bulldog-delaware-summer
File name:PO0530322.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:848'384 bytes
First seen:2022-03-14 12:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:ss1MxDRZAFHl47P69cQW9o6aS7z0jEOg:HIbaHWusqUoj
Threatray 14'977 similar samples on MalwareBazaar
TLSH T1A905BFE0EF5893BEDC24627AC4A808700EB5199D3420FF5AA58D11DD0A67FCF59E612E
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/250168/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/622f30e4dfdfa8501c9dc5b1/reports/708ec708-626e-45a9-9226-881b1498af0b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6335b07f-1c40-4d36-9146-ae602d615626
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956138
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/511cfaacb35df2a07aca55efb2b27b6a557e210cb5ae1d31914336f39fc472e8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 04:56:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=keopvlftlxzka6wkkxx3fmt3njkx4iimwwxb2mmrim3phh6eolua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03231087b8d197ac9adff7250c8ceb9c1e6d604c008e5622de78d7e1fcc78c1c
Formbook
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
326a1e669385d8e241375e9eca9f915440f1d0d3f803e6d1648f30102cbedaa6
Formbook
5d407049f81d3b75bf2d9eb7dc14662f533b1ca37d283e5ef50e001a7ac1f758
Formbook
5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9
Formbook
86df15ac78abc1d224a4249db72d29dcb2979fd0669a15c0d291e47648dc0c1c
Formbook
9e4e02725cde43b4da85cdf054b11ad0e4a622bb54f4a967b1634ebcaea9666a
Formbook
9f55a497a04ad1181a75185f7b2ec1be0b9d33ed50f26c0c8cc82fa0f85db590
Formbook
+ 14'967 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:emn5 loader rat
Link:
https://tria.ge/reports/220314-pcltesfag5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
.NET Reactor proctector
Xloader Payload
Xloader
Unpacked files
SH256 hash:
25c92cc5ab4364c8165b68db5d215cb3578b680e33ef6f616c147c15147b9d2f
MD5 hash:
e54090a1db52eaa5a31f74a5ffacdc13
SHA1 hash:
572b640f345dbe8dc4bc44a322c8a53fd6966788
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/71476880-5a1d-4673-9112-1593a219439a/
Parent samples :
511cfaacb35df2a07aca55efb2b27b6a557e210cb5ae1d31914336f39fc472e8
0558311301419ac6bd7eb052bb7e72c543615e6d930a2d2d1c274739955bb83b
SH256 hash:
e304ec5f1e610bc62cdf24d472c6f7076a0715d8539e74015a0d42185269e393
MD5 hash:
19d025e004636a6f4b70428bf2d9f192
SHA1 hash:
8956d7f248a51003c4be8330d7527862bd8a3c89
Link:
https://www.unpac.me/results/71476880-5a1d-4673-9112-1593a219439a/
SH256 hash:
9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662
MD5 hash:
b4c9c16228f0ee1de70ffc6264fb720c
SHA1 hash:
437049e452a511e220abdb32df695cdf07f5a7d0
Link:
https://www.unpac.me/results/71476880-5a1d-4673-9112-1593a219439a/
SH256 hash:
e974637e081261921b2a71a48c95754201f43b5f285612b49662c8f434582421
MD5 hash:
043c0302f01b27e15ae24574627ba9f9
SHA1 hash:
0d64f9e5046e0aad60bd678d09027e2244b63108
Link:
https://www.unpac.me/results/71476880-5a1d-4673-9112-1593a219439a/
SH256 hash:
511cfaacb35df2a07aca55efb2b27b6a557e210cb5ae1d31914336f39fc472e8
MD5 hash:
3571acd11c863c2ba7e140f2c953c631
SHA1 hash:
e39344f01dcabe5e456e6aee7d71a7e47107d431
Link:
https://www.unpac.me/results/71476880-5a1d-4673-9112-1593a219439a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/511cfaacb35d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/511cfaacb35df2a07aca55efb2b27b6a557e210cb5ae1d31914336f39fc472e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 511cfaacb35df2a07aca55efb2b27b6a557e210cb5ae1d31914336f39fc472e8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/250168/

Comments