MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 583634fdc373ec476a7affbb11474a78596cede93a39322f0026ad98b1424cc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	583634fdc373ec476a7affbb11474a78596cede93a39322f0026ad98b1424cc5
SHA3-384 hash:	a6a0a42fd7efa4a2af1e4bf23f0143c3c8a5aa2588b016dab9b0b8b740549ccf453515d3d7ac0d488df7783a9ca92dd0
SHA1 hash:	0860b7010b57f2bccd6d025658696e905e2aa1a6
MD5 hash:	ccfc63bb054e87d0cf5d9895babd83c1
humanhash:	romeo-december-dakota-jersey
File name:	ccfc63bb054e87d0cf5d9895babd83c1.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	656'384 bytes
First seen:	2022-06-13 07:11:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:fxs2iNI9qbbkylIFvfWmZHNyjITWJoEyo8VdubYeQfuBn83Zt:G16+bkyy+mZHNyUTLEyoXbY1Z
TLSH	T199D4122173A95792C2B803F929E001905BF9BC2959BBEF0D7CE177EB46A6BC14072717
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ccfc63bb054e87d0cf5d9895babd83c1.exe

Verdict:

Malicious activity

Analysis date:

2022-06-14 00:06:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2226de2b-1d7d-48cc-8481-246645d8117d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/279243/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a6e34e73b91c38f689ab4b/reports/444b360b-c655-4f4f-8a31-2722a8d01c3c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4e3debb4-6ae4-42fc-8b88-2ca07946e9c8

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1011795

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/583634fdc373ec476a7affbb11474a78596cede93a39322f0026ad98b1424cc5/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-06-13 07:12:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=la3dj7odopweo2t2765rcr2kpbmwz3pjhi4telyae2wzrmkcjtcq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:itq4 loader rat

Link:

https://tria.ge/reports/220613-h1hncaafa3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

8fc40df400a4d60932a79d60d7c12b97a6b66142f7d7bd723da0afde12cddf43

MD5 hash:

0f6406b41c20eaebbfb7c13d91fa0a21

SHA1 hash:

51d4fae8f061100952a6d1c851bca3b7f8593852

Link:

https://www.unpac.me/results/77e30aed-63d9-4ea2-9b99-40a7e286f70a/

SH256 hash:

fe78017f2153de0c5ca645c4255899ab044502fe5c77d5c04ced635d9fe981d9

MD5 hash:

ab47b292d4d39311539a0b97e6661f4f

SHA1 hash:

54cd9efbebe4f41b23e6f24fffac0da8f72d921b

Link:

https://www.unpac.me/results/77e30aed-63d9-4ea2-9b99-40a7e286f70a/

SH256 hash:

0cf663870e60500f8ce2e55d0735593497d1f6cf50b613ce21c797aedac1e843

MD5 hash:

5302e3e17b6320133b04907f8c899c37

SHA1 hash:

abbb6d8aa62f7d9da78927acb6c7e647bcbdc726

Link:

https://www.unpac.me/results/77e30aed-63d9-4ea2-9b99-40a7e286f70a/

SH256 hash:

6871e3fc257bd687b4613d10db9035b0c0befcc13fecdd6bbb97f9b46eaaf3bc

MD5 hash:

11327cc1077e11e39e82a40d8c175bfb

SHA1 hash:

200e4a92fa3571fa9eb5e7ecda20721eb4795faf

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/77e30aed-63d9-4ea2-9b99-40a7e286f70a/

Parent samples :

e226334635541cd4581643d39b8d8f19d1ac7519e6d3e833dcf48d4c0b1c1080
6e2d552e111d1303a2b72809cd77f7aab66ce3e7bdfc243f0dcb53c30d272736
950352c91affd434f21c97b82e49e2f55642eee65540646cca5b45384257f026
e17af127923617602c5b3aefa68aa22e97a1c6e9636b0ad69719719e3535c2ae
53f2b01b46fea6b60894eef19535ceb20e37f661839e607734c54ec5e3753200
6a8e45f9894c54efd1aff20e1ced278b688fe93b46fbace3a3b19d77b447b742
b33f2bc956ec9e983992bd165347b7041b03ee77749640a04451efb3ea2cf5d8
14641fbe2c1d62713c7893a32a0fca7e60ef1c517f2e3a1b5e1b32f1240f86b7
49c0c4810d07a4328281b5d8e63d51be03732beac6875589c5c4b800c81e1f8a
9451d316042f4dc89e61afcebdff67ccb533e14af5fd3cfe58f64c57c7af81c3
f12b517eabc8adbbbed4d0117f70bd42e00e59b3a02c8dab3d4ab95d6e1ada0c
5fa578aae701d9ee019d13aa98240d0c2cb899a8218c6ce86b99bfa2a7005fef
583634fdc373ec476a7affbb11474a78596cede93a39322f0026ad98b1424cc5
86b01fa8a457b9f282f50f1754a8ce931bb9d64f9f14c1d08d973ee1bb469559
f89fdaf70a745763294ddf8e9470b39a9575b5edb408fe40abc72531fdd89824
f373dca0591ab9127485c7c3176eb2d5b639b5281837486589884ce8f24d9dde

SH256 hash:

583634fdc373ec476a7affbb11474a78596cede93a39322f0026ad98b1424cc5

MD5 hash:

ccfc63bb054e87d0cf5d9895babd83c1

SHA1 hash:

0860b7010b57f2bccd6d025658696e905e2aa1a6

Link:

https://www.unpac.me/results/77e30aed-63d9-4ea2-9b99-40a7e286f70a/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/583634fdc373/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/583634fdc373ec476a7affbb11474a78596cede93a39322f0026ad98b1424cc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 583634fdc373ec476a7affbb11474a78596cede93a39322f0026ad98b1424cc5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2236005/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/279243/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample