MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash:	5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b
SHA3-384 hash:	9f4818480e6548c66621ecd5d3b0a4f75ab63a2a1de9d3e3649327071a7a2ba2df67b9c1a33bf36af617663d03a96b96
SHA1 hash:	118b1e549ede5ef330a439a0c6ff0c0ffe043f69
MD5 hash:	fc610878793ee9ee26ed44da1549f4f8
humanhash:	failed-bravo-pennsylvania-table
File name:	fc610878793ee9ee26ed44da1549f4f8
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'166'848 bytes
First seen:	2021-08-16 22:01:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:UwXF5LWoQyFY3blhB26grF6QaXMkYKzyA/JT:7XdyL126grF6Qa8gzyiJT
Threatray	4'555 similar samples on MalwareBazaar
TLSH	T15045B53A15B83B27E079E369E6E44407B3E0945FB625ED59BCDA07A70206F4265C333E
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO.xlsx

Verdict:

Malicious activity

Analysis date:

2021-08-16 18:56:54 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/b8db3ce2-4e60-4285-88a6-68d4a34806c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/179754/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.998-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4188660-8310-4378-8583-c4ec233a40db

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/833918

Signature

.NET source code contains very large strings

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-08-16 19:37:05 UTC

AV detection:

13 of 27 (48.15%)

Threat level:

2/5

Verdict:

malicious

Label(s):

formbook

Formbook

3edf6811850efc722b39737bf3623a42127e728f0c32a0a6ab7c66044838d307

Formbook

8189bdd4ee5ee54aa137e1bf9071a1cef9ed2ae1a6e88ad70817de3530b24545

Formbook

8fd4cf94ee8683475a5fa775b37afeaeef36e4791fd1e3ecfde74cfaaf498106

Formbook

93986eac8652157b41ac4464bed7584c6b0c04a3fcdd8bcda47592df69fee3ba

Formbook

94b77677478f890b5f9e0561aebc0f66b1b2fc4494d016e9b5a70ed0ba20980b

Formbook

94ec59e8f70de9f2fc9a4774fc7ed32a7a0495115a813537f77c9aeb505a5bc4

Formbook

9ecedea13dc027095e79edab82e3988f028dfda3ea5b5469351a52a82a60ff7f

Formbook

cf993c713cfe3b22bd4978530f420e2dc54c38d106ad5fc5a9aacb1e377b81e2

Formbook

d8de6668573d3ceb90b6794ad11ce332f7d7ece1d4cc1c40b2279ebcdc71b5dd

Formbook

+ 4'545 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:wufn loader rat

Link:

https://tria.ge/reports/210816-lpg3fc7ehj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.gaigoilaocai.com/wufn/

Unpacked files

SH256 hash:

4a548a1939677df39a2bfb4a4ac12d0ab834422db398ff76da29d985d60215f6

MD5 hash:

db1e490c36ce5a4ac5e867854ab97ed9

SHA1 hash:

f7cdf3aad88d0ab1fd919125fe67f759f50d480a

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/b53efc1e-05a3-4571-b190-53fe6c2f4434/

Parent samples :

8fd4cf94ee8683475a5fa775b37afeaeef36e4791fd1e3ecfde74cfaaf498106
28a0ad307023870bf0337867f6ef3f75fbb74bb71d768db0515c96d8d8c6d787
c422b04b5177a83b94f15e8bd6b8eca2e7e91a0c082b5035a7aa4b475e38688c
d0f6f28c586b78dfbc7d4e6c277c20761c9db38e0cd059807be5252b52d10660
ed1a7345c9e845ed31646e774cf4205e24b4a6bced4f3231929b49d857ecdf85
15dea504a6e8e75ff2177e31463ef948f854870dcd85c4d824b96e5d447e8ed4
68a5258c5c468efc0102b57b21cf9b641032d37746f510b2876d93a3271b10f2
9f64df73b619cd708696983b9eb2dea834a4e6bf62128e28adb4d8d7b2f8143f
94ec59e8f70de9f2fc9a4774fc7ed32a7a0495115a813537f77c9aeb505a5bc4
1086e2faa19287c271b669be3118a0509f3547cbe638e7f783d0c691be084be8
24f5b6729bb4de4dfa691da018caf46ab4fdb01d08fd59d78422f67d833d7167
c070fb4fd74f3cb1b4b739c8b80ea499734a7e9859ff3a0f5cd5a51ac4e0ca7e
93986eac8652157b41ac4464bed7584c6b0c04a3fcdd8bcda47592df69fee3ba
9445483350a3ed0479eed69073869e73b7837327bade374605b841a560a6ee70
ed1f6d30d9c3d855c15d37ad9ca2e2103ee55944d0654e500e247b0607b4096b
8189bdd4ee5ee54aa137e1bf9071a1cef9ed2ae1a6e88ad70817de3530b24545
574935899092cf394cbec27200bacb9e372d2e9c299d8ed91705d29fe85465c8
1e465b759dc6a6ba3993eb61557f5e7740744f1d9ca55f0a185d1ea4d8b8e30b
e3dc15f319a357a829ca2a4592287759e039a3f556bb47c13da25aee27ce3b6a
4b8221cd0f4ae01e9685557d911ab4b2f3c9c60086fe5e89901194df390974f3
39e07d983dda2437d04b37965671e84be2116f882c7c3a689ed137c8e2a1e10a
df51db89a51c233888574b864d8217a2cb900eb0711cb354a5383ecbde16b25f
511a94f3465fb39788f2c9a3c741b2f233ad6ebd6e47ab1225a1b8f34a463747
e07fbf3b9adba7e4aceb5cc6804c0002ee01c000d4e67ff3227f59eb9949c80e
4d8f0613e6c1c51cc03a64477a407ff9aee81531a4e3e0ad0c6ac6ef7efed169
9c667699c6643d42dd1264b3657141bf3b23b56f47e527e33ae83030d937cb5a
6193e9579a45f4b4204cee71e070e1bcf46532a5378ac3156ec7684f9a6134a1
835cf0393c0d695629ae18ef8e41b28a75dc0df98d8572f77394ddc5b8e0ec16
5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b
8402867c8ded316ffb97af7aaab3fb6cea74a31bbcf4742e614f927d98b84914
00011cb5a8a25fa0000dcd7a0b057cc8fa119323e3d4b68b4f596b07eca6bb42
73ba539a238da72c6f7bd2a0e528db1de3fdd6a1d6217613229c017eb758d4c6
a57f84d7e89cc76408c67fbcc2c8e3c03bf98a8daa93209f3650ebffa09faabb
fbe3eac8deb8b145ad8ac555e27cef7d1fad66d2472f2a36a7d944cb11702520
5a1b75ac98b97b8d336bc39cfe1af7670da83ef462db07b134014aa828652a70
001a2541de77dc468f7986948da56b03dad2f57c59b77142451bd4c9bef8f8d0
f8b0b072a061719895c7fba405b3ff7483d4fe796e3fbb402de371d9cbdd3fcf
a28c1aa7b9aae861040aea6d14c8d2f860101502a18f7d8d8dc7592fde73a31a
50b80876f6d2a05b4bd054c3207319b11b2518ae4ef3f0193027356e26f856e3
8e3f34bcbcdf3fbdfda09eeb573867c7a92c97f1995db678a8d67945ea3ebe5f

SH256 hash:

6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

MD5 hash:

03bde4a82ad64c0f314985232fbca3fa

SHA1 hash:

e8d0b6339e94192eaaca32c812f914e60576dca6

Link:

https://www.unpac.me/results/b53efc1e-05a3-4571-b190-53fe6c2f4434/

SH256 hash:

7c5d532684c491026ac9f5dd496118d46afa5f3b51947aacc4509c60fb37a15c

MD5 hash:

bc3dec119fd361fa58404db75bdea706

SHA1 hash:

6cf0344f574b2098892ad0fb08184db887e5b85e

Link:

https://www.unpac.me/results/b53efc1e-05a3-4571-b190-53fe6c2f4434/

SH256 hash:

5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b

MD5 hash:

fc610878793ee9ee26ed44da1549f4f8

SHA1 hash:

118b1e549ede5ef330a439a0c6ff0c0ffe043f69

Link:

https://www.unpac.me/results/b53efc1e-05a3-4571-b190-53fe6c2f4434/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1540033/

Cape

https://www.capesandbox.com/analysis/179754/

URLhaus

https://urlhaus.abuse.ch/url/1541135/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-08-16 22:01:15 UTC

url : hxxp://18.184.26.60/www/dow.exe