MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
SHA3-384 hash: 54f1394d7cf83c1f5e53c4ca84fb05f3c103c0e1c715290bd440c634fa19cb53882bc0a8e7c9ba158d8be730a4adeefc
SHA1 hash: 734a49e6546fa2e8109bb49819ba8732fedf2806
MD5 hash: 2ac8d894e24bcd30aca57b0fd640250c
humanhash: double-double-stairway-sodium
File name:2ac8d894e24bcd30aca57b0fd640250c
Download: download sample
Signature Formbook
Create hunting rule
File size:740'864 bytes
First seen:2021-11-26 10:39:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 01f42bb56bd8196b0da3b3826e73efd5 (4 x Formbook, 1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:HOYMYlxIimj6qr9wMiE+wGFYjA2KY59roDBM6nGplGJY:HOJYMimv+9wGqfKY59cM6GplGJ
Threatray 11'890 similar samples on MalwareBazaar
TLSH T163F49E17E9A7D136C5F30E3DB94E1A2864972ED09F63686E58E8FC444B7E384343A172
File icon (PE):PE icon
dhash icon 74f0888a8c8880b4 (5 x Formbook, 2 x RemcosRAT, 2 x DBatLoader)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document7000.xlsx
Verdict:
Malicious activity
Analysis date:
2021-11-26 08:14:42 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/9faf3c47-5446-463a-86d9-dcad5f642388

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Zusy.408309.14966.9919.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dealply keylogger packed zusy
Link:
https://www.filescan.io/uploads/61a0b94db71ceed41531701d/reports/dd93456d-704a-45c8-bd82-20ffc6268f39/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a497b86e-64a9-4ce1-b90e-ad0e28cf6fdc
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896618
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 10:20:09 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ba605473b6fc3b244f25a8838e41a642dbf9566d347d3ea084e96bbe88aebde
Formbook
1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72
Formbook
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
Formbook
3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6
Formbook
728b23f75c1140a1763dd7c75083f2ae57afeb6ffa3d7b33a9ba1b4904c4566d
Formbook
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
Formbook
a67796ab32ba225ab871923548c5b98147a848edeffb72089724d6131d20dc0c
Formbook
d72799be34725e6cc9665e17895075ad8c5aa22835440abb4a342a202426379c
Formbook
+ 11'880 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ht08 loader persistence rat
Link:
https://tria.ge/reports/211126-mpyyeafbd8/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.septemberstockevent200.com/ht08/
Unpacked files
SH256 hash:
80862d46bdac152572d0faa96c99edb9bcb3d5d3ff5d1d41771f5cb8ad164a2c
MD5 hash:
7c09b28f7639c8b2a033e88db5d9df53
SHA1 hash:
fbcccc3c2d024228a3e1dab743b3912ed8ccbb3c
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/5254d7fd-c78c-4c0b-a033-facd051d878c/
Parent samples :
e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
62d54d23908b06fb851da8829798a3d82110e0c189a8794f9d7deb9642f1542d
91b5c318543587a212464565a4df06eae2ad2823338389134f06c4409047e18e
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
6c2c4e5bb1275643184f07bd2bce3f51722e3b3e0557fbf0d83c0dc6461c4a5b
2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
SH256 hash:
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
MD5 hash:
2ac8d894e24bcd30aca57b0fd640250c
SHA1 hash:
734a49e6546fa2e8109bb49819ba8732fedf2806
Link:
https://www.unpac.me/results/5254d7fd-c78c-4c0b-a033-facd051d878c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5627d54b0f87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209738/
  
URLhaus
https://urlhaus.abuse.ch/url/1819565/

Comments


Avatar
zbet commented on 2021-11-26 10:39:05 UTC

url : hxxp://107.173.229.133/7000/vbc.exe