MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a65adb2a2830e0dad5cb8d22641a71fb5a9c8141d77c64ce1e285a93954b052. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a65adb2a2830e0dad5cb8d22641a71fb5a9c8141d77c64ce1e285a93954b052
SHA3-384 hash: 8a1b6da81f1cdffe6c836a331732bf93a5e5a2817a8e18025c6b95b11def4a3116e43cc539952be53d7d9096082ba524
SHA1 hash: be66a92051c8414a1383c414819c06a26ae1f973
MD5 hash: 4bf4e652eb6c4ddf2aad421319ffe70b
humanhash: alanine-fillet-cardinal-nuts
File name:4bf4e652eb6c4ddf2aad421319ffe70b
Download: download sample
Signature Formbook
Create hunting rule
File size:491'645 bytes
First seen:2022-01-26 16:10:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:Nw2eo4zCAfgPI2lNvPUwdyDwxU/lIM/MyHnlEqhqnvPsFeq3kR5HLMj:g1zCxI2fUpEUdIM/nHnlEyqQ/URGj
TLSH T131A41208BBE9DE93C097B9B04D778751A3B1DE001A1ACB83AF607F0E3E361D67545282
File icon (PE):PE icon
dhash icon 01707cb62a4e8c10 (1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4bf4e652eb6c4ddf2aad421319ffe70b
Verdict:
Malicious activity
Analysis date:
2022-01-26 23:50:49 UTC
Tags:
installer
Link:
https://app.any.run/tasks/5f9c64e7-1d14-49e7-85ea-2ae102f7af6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/223489/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f1729cd73ca9d4648e22e8/reports/1a2c646f-140d-45a9-819c-f4273631c1b8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92993aed-da5b-4ee7-9357-dd5834a3d24d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/928086
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5a65adb2a2830e0dad5cb8d22641a71fb5a9c8141d77c64ce1e285a93954b052/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-26 11:52:59 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ahc8 loader rat
Link:
https://tria.ge/reports/220126-tmx2nafabl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
de1e2af18fe2a8eed8db70cc286c1b0fd53d9b6473c6f8822a065a6b4cceaf28
MD5 hash:
8412969292924176aacef4afcde574ab
SHA1 hash:
b0bd8044bee4b6ffcdefa57e4a12ebab8a9043a4
Link:
https://www.unpac.me/results/60636500-c636-4ff7-b7b8-ec723be7a0ec/
SH256 hash:
4ba151c67b778cd34dd861762d9474946f039c9d066ca04849a7b994bcc6460c
MD5 hash:
97baeeaab7313c74dfd7643c626f7dc5
SHA1 hash:
5419e7ebaabdf884bd2bde82b0aaee7b2cedb84f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/60636500-c636-4ff7-b7b8-ec723be7a0ec/
Parent samples :
5a65adb2a2830e0dad5cb8d22641a71fb5a9c8141d77c64ce1e285a93954b052
1ba84876de166844e415c6287023982232051d97ee776b37cf4a7512666494dd
0fcfde1ee285a35c722bfdd0b33f08771a26503d4bfc20541726456cf9351af1
826837df6dde8385f31f1a25df7ebdf946b9519af3142bfb87d4b9196f3822f1
6370ffa17cea91839f8a40555da2ef41f0e97d539e4bdc60871a7783abcdd7f6
cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4
35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6
51985a3bb448c49846c0560a6d577ab1f2e6dcb4c44d8f5c68d09c371a0bc485
90b9df6a803fce475920ccd036a647601a8f65bec5a7a9bbdd59a86b4bf004bf
c8781b8dca56fa093b3df95c16360b2dc381eadb10b4f9055e11b39f34284749
e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823
ba347c1008ade9d22ce86ffc99ad1b8d8bb3fe4d392d911e8c4c2f2a11c98f13
f469b5c967ff28b96444a48b6769ccde102417de9d59df1878bfe486ade890dd
54a2f208d30012237286d747e0f9c5e9d85fc5a101ad24900b569e0ec341e8c5
b0689ba526627ae1cefce61dde4198b704f4ce53f898e1222f6ce40b73bd391c
59552104d4bb2bcc6518dab735dac7dbb731a988dda8b82d39fa10911e7b8ee3
SH256 hash:
5a65adb2a2830e0dad5cb8d22641a71fb5a9c8141d77c64ce1e285a93954b052
MD5 hash:
4bf4e652eb6c4ddf2aad421319ffe70b
SHA1 hash:
be66a92051c8414a1383c414819c06a26ae1f973
Link:
https://www.unpac.me/results/60636500-c636-4ff7-b7b8-ec723be7a0ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a65adb2a2830e0dad5cb8d22641a71fb5a9c8141d77c64ce1e285a93954b052

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5a65adb2a2830e0dad5cb8d22641a71fb5a9c8141d77c64ce1e285a93954b052

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2007490/
Cape
Cape
https://www.capesandbox.com/analysis/223489/

Comments


Avatar
zbet commented on 2022-01-26 16:10:20 UTC

url : hxxp://103.171.0.134/couldA9/.win32.exe