MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3
SHA3-384 hash:	53bae09aac7116d4da7d0f885fd5b840907840b704cffb2b9d628e28cb28e96aa039e06d361f6b9ca356b0ebd53f2e87
SHA1 hash:	25c0dfa8e0039284cea4712acbb792fda42b2840
MD5 hash:	0e27675635ef7e5475326e19d137b6a3
humanhash:	crazy-uranus-william-violet
File name:	SecuriteInfo.com.W32.AIDetectNet.01.29790.29870
Download:	download sample
Signature	Formbook Create hunting rule
File size:	313'368 bytes
First seen:	2022-06-21 13:36:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:67eiKcXtg1FHYky+jcCpjzXRVuJ6v4qW8YOBIxSsJohfIMrtUPqo:SSFPy+wCpf9RPUJoBIXSo
TLSH	T13564CE6776E84B40D5A958B5C4DF583017F6BED76E32F2C93F0866892E023639F80B49
TrID	52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.5% (.EXE) Win64 Executable (generic) (10523/12/4) 4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/282000/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.29790.29870.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62b1c987d37f664350907c0e/reports/972ec76e-8cb9-42c9-b7a2-0450828c1f94/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cf4efd95-3ea7-451b-b506-09e08f1f3248

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1017167

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-06-21 09:17:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mdsspehrqmbw4ewgdihz5mgozehhk74oqyvjusiujbe3ttx7whbq._file

Verdict:

malicious

Label(s):

formbook

nanocorerat

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:r8f2 loader rat spyware stealer suricata

Link:

https://tria.ge/reports/220621-qwsxhsgae9/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

ca018c21a3e848b96d807bc5d7b465d147ca5005d83743ffc3fe79d840e82c16

MD5 hash:

17141e0156ed9702c4cb8f4807680053

SHA1 hash:

59c5365610742c5fb3b9cf06a1eab1f6143a241e

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/8e0c3a5a-01ba-4492-8ff0-21b0e2e404a1/

Parent samples :

d4aba71c5e7292eeea13722a41fc53166e50a6d7cdf6a1a28b94ca8c1cfc2245
60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3
0fe570b36aa76e57a5f29405e9ffcdeacdb0bbb1e5baff240425049be6bb96a0
084dbb4d5e285e79982c03d187a233b24f6fe7a4ac4af9821aeb8f4c475288df

SH256 hash:

b47dc2afba4b95a6b8af6214bd4b2ceedbcd48504216f4871f895940b499886c

MD5 hash:

8b125cd9812a07219629653fe9f1af51

SHA1 hash:

50d7155c6975a8c40eb65f6015cfa52d819692f5

Link:

https://www.unpac.me/results/8e0c3a5a-01ba-4492-8ff0-21b0e2e404a1/

SH256 hash:

60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3

MD5 hash:

0e27675635ef7e5475326e19d137b6a3

SHA1 hash:

25c0dfa8e0039284cea4712acbb792fda42b2840

Link:

https://www.unpac.me/results/8e0c3a5a-01ba-4492-8ff0-21b0e2e404a1/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/60e52790f183/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/282000/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample