MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d
SHA3-384 hash: ab34c42be838a594adbf55e975e74ab4b6c566a2712b38b6a7bbab64949e23e521673bfb38621907c676ef6204cb31e6
SHA1 hash: 750a418bddafa95605d2b2dae08309086234d9a8
MD5 hash: 531544a3ba94737e9aee2c6ada39a149
humanhash: quebec-mike-april-ink
File name:531544a3ba94737e9aee2c6ada39a149
Download: download sample
Signature Formbook
Create hunting rule
File size:393'728 bytes
First seen:2022-03-01 09:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:5UDDwU5vYNoSeWOSrSyFxrd5meGNIeJI+dqFQwkDeO2EEyvM6rfDTzNL:5U4V5RrSy3bmeGKAZwg/EEh
TLSH T10784E15DDBE3431ECAA8457E84F633E82F10D427E0AB863B94D2191A1D633F9BF80595
File icon (PE):PE icon
dhash icon 69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245661/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware obfuscated packed shell32.dll update.exe
Link:
https://www.filescan.io/uploads/621de678b94fb38cb42d0396/reports/94a1d3a2-b671-4805-a579-7ca2e2d43a17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef0734d6-4d2c-418c-9e6b-a9b34b9ad63c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/948055
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 09:25:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:8gce loader persistence rat
Link:
https://tria.ge/reports/220301-ldmwbsbaan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f326b86e040f77f2f911f79473bea8c8388fbc1b4c0f05df7fa7d893d7563c1f
MD5 hash:
3ff0e39c09d417b36548df60b2f89028
SHA1 hash:
ac3d55cd659cd29d11a241fefbae4c92b8544cb0
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e5b8809d-2fe6-46fe-8991-9450b96dda30/
SH256 hash:
2a1c2225605de7ae1af8249a7c362d9827ecf128cffed42beda8ef7ad407519a
MD5 hash:
f0dc36a13dbab04584af5ee5feb1a629
SHA1 hash:
76f63d855339617265159d851bb884c85758126c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e5b8809d-2fe6-46fe-8991-9450b96dda30/
Parent samples :
640116c2179899f3ee364b4b549b136ec76c2d6fe08d462c36769b80c136e486
4214037b0098bd2d9c6e65a044a9af6c94c83f00580f40074ce7cdb06da455fe
6c00f2f1868618cf3ccb1e056bbdfabb89ac201b28dcb819af71258557648c9e
2fd3db9eb65d7a120e24e7245a73e4e88d4b2a7998d82986e8b2e2f20af1d932
503afb59d8192f6adb3e67db043eeb6459e8ec3fc117ef8e2f6690d5f0c4a12b
0b7b92e40a75e7c96676e65733f2babfdf0c37529c130619510b2b0b7879a697
54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d
38444024682d6ea391135d374ecd6f457bb01df512801e25fcbd2931afe58d92
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/e5b8809d-2fe6-46fe-8991-9450b96dda30/
SH256 hash:
6dfa3a3704c311ca08cfb0eefa94b84b899f9464d2e33a6c8c7930867cfffe6c
MD5 hash:
aac7511aae8c919235e86cab291ca3f8
SHA1 hash:
237df6faee128c655e8f486ed87519ccb59850e6
Link:
https://www.unpac.me/results/e5b8809d-2fe6-46fe-8991-9450b96dda30/
SH256 hash:
e1157f52e7f0abf704d1fba3e74ead21cc3141a530c452fe1e4f28f869d6349e
MD5 hash:
fb29cd3ea37f97bf6b04821348c6bea9
SHA1 hash:
0a99103f0a40b3ef0453fc4c3fc337bb64898e6e
Link:
https://www.unpac.me/results/e5b8809d-2fe6-46fe-8991-9450b96dda30/
SH256 hash:
54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d
MD5 hash:
531544a3ba94737e9aee2c6ada39a149
SHA1 hash:
750a418bddafa95605d2b2dae08309086234d9a8
Link:
https://www.unpac.me/results/e5b8809d-2fe6-46fe-8991-9450b96dda30/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/54d3a5ab9cf8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/245661/
  
URLhaus
https://urlhaus.abuse.ch/url/2068322/
  
URLhaus
https://urlhaus.abuse.ch/url/2068326/

Comments


Avatar
zbet commented on 2022-03-01 09:24:50 UTC

url : hxxp://107.174.138.144/aam/boo.exe