MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8
SHA3-384 hash: 4b95740606ffcc589156f24802ec7c668cfd84be2f5045bb35b6fe4656e58a93724d54ecbf32524c266d6ad485fef6d6
SHA1 hash: 10b504ddd800474cd328ce3600b68698c52c342f
MD5 hash: a9603bd99100cac3d701d5294228bf19
humanhash: fanta-kitten-spaghetti-angel
File name:a9603bd99100cac3d701d5294228bf19.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:378'880 bytes
First seen:2021-03-10 09:46:40 UTC
Last seen:2021-03-10 11:54:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 643f00293c24d4fdd2311dc22ad519f4 (2 x RaccoonStealer, 1 x Formbook)
ssdeep 6144:45yeUG+CmIqC73I6OYBmVX8cp6RetfXhdJo7LgBq1KfXr/UV1qi:45bDKIqCk6jEscpieNXhdOPM0Kvr/pi
Threatray 4'122 similar samples on MalwareBazaar
TLSH 3A849D10BBA0C034F1F362F45A7693B8A53D7AA1A73851CF52D12AEA5A746E0FC31747
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a9603bd99100cac3d701d5294228bf19.exe
Verdict:
No threats detected
Analysis date:
2021-03-10 09:48:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf11139b-658b-449e-ad83-5c00b8b29f64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123546/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop4.25343.9087.9906.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/634131
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Packed.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 05:52:35 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k33k5clxeex3y5wihfnznetazo3nvkhhhjqrrmhbje5lofzc3xea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1b9311365ac0c371e7e3656d8d9074a654bfff4677e074f754e5053bca200298
Formbook
1eaac3194b53e9523347d6d8392bb9ac437437217b530f2c61a270459c7da06e
Formbook
48b5f73b85cc94914ad9190896b29a400558a8a4a50e67132f7988e11532b5fc
Formbook
59a6f0a402a4172f893c1747b51c7e1a7d6092fe091e1a9497067849efb5eec2
Formbook
6a779c7bb81770cc34c733e0da1afb48d3ee0d4aa1e81b4c5776b2b6405c864c
Formbook
6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8
Formbook
a86f792a5a3d424b756508cb462d3ca9b454f2513a5471df5d41da33649748e9
Formbook
b2697b1c939e346a4adcf8ed2cb4a0e493f2390a54a0457c95fea5485c2fa19b
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510
Formbook
+ 4'112 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210310-6m4z7tep2n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Xloader Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Xloader
Malware Config
C2 Extraction:
http://www.tgofilms.com/e8mc/
Unpacked files
SH256 hash:
ea8924d31c372827b7516d92b3b64f1d00b97ceea4c51199d9a5d14cf8c60b9c
MD5 hash:
ed61b1b79a2c72caf66fc8dd76c5bed0
SHA1 hash:
00e231cbd49689d6ceb491f8434fd07dde7c5477
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/96a2a9cd-2ed8-4f10-ac56-61fbedf0245a/
Parent samples :
6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8
56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8
c9ab023170f993a0fa7889aceffcd8d85ce9f43dcb14bca321f95c6148e679e3
SH256 hash:
56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8
MD5 hash:
a9603bd99100cac3d701d5294228bf19
SHA1 hash:
10b504ddd800474cd328ce3600b68698c52c342f
Link:
https://www.unpac.me/results/96a2a9cd-2ed8-4f10-ac56-61fbedf0245a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MultiPlug
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1054076/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123546/

Comments