MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e
SHA3-384 hash: 9b79cd57b41a801ab05e321afff5351f74b2d9c98dcca0a77cc0fee28a7db40e6dede81b19bbc22787a049373cfeb7d6
SHA1 hash: 7586520a0aa2b07c1f5035ac7cd37437f971d0ee
MD5 hash: 05ff4e6e816ac6dec4dab71a9d3b18a5
humanhash: eighteen-bulldog-indigo-venus
File name:05ff4e6e816ac6dec4dab71a9d3b18a5.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:253'345 bytes
First seen:2022-01-31 07:48:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owZDWkYAsv0vN6zsRT9eSJdKTeebvNwrORBmzxGphr:9KAsveNmsWSdoeGMOjcx4J
Threatray 13'275 similar samples on MalwareBazaar
TLSH T14544124AA5D444DBF82D41321957E5B5E7F66040278602CF6B302F79BE4A3D22B1BBCD
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05ff4e6e816ac6dec4dab71a9d3b18a5.exe
Verdict:
Malicious activity
Analysis date:
2022-01-31 07:56:54 UTC
Tags:
installer
Link:
https://app.any.run/tasks/7e094fae-fb86-4323-8cc2-2f25909482a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228345/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f79470d7fd65ae55fb4c80/reports/4fa38dbf-28e2-4f4c-b690-dd5c3921992c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f1c546b-7f93-4515-8644-d58c4335af3e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930658
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 07:56:25 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3klblytmem4fpdyzigmhyfvr537xzzotrzbrv6gj46kuls63jpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08
Formbook
11b121ba849ce2438d07acd369c8d73e229279af58ea1dc5cbed24849f611e3a
Formbook
2cc70aab4d932d3dfce1498801d6838e967e4ddebe3a06372e8ed2e7f86792f2
Formbook
36b986f7d277f114be1166140b08a4ddb6300274d6365ea589fe129105445de7
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f
Formbook
7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa
Formbook
b16670d7ab7fc43029ef6033d5bf6b8a3ad78f09fefed66ec6351c7eac0a53f8
Formbook
e5c2574c2e340ec822b2d9a2e576e196f0a0c8739360387c7f2d1d1d0414ef3c
Formbook
eaf218715117371fe47edcccb82a303ad73b2aa8c491018e96167877fea125a8
Formbook
+ 13'265 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:jdo2 loader rat
Link:
https://tria.ge/reports/220131-jnpfssggfk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e
MD5 hash:
05ff4e6e816ac6dec4dab71a9d3b18a5
SHA1 hash:
7586520a0aa2b07c1f5035ac7cd37437f971d0ee
Link:
https://www.unpac.me/results/c6ea9554-225c-4cd4-b873-a38748e3f54e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/228345/
  
URLhaus
https://urlhaus.abuse.ch/url/2004811/
  
Delivery method
Distributed via web download

Comments