MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720
SHA3-384 hash: b33dea9341c42bdbc4de1b8aa716c04bf0bf57a8b28a2642f1ba8e315d464a071db03037bfb475ff39198ae3d268609c
SHA1 hash: 1ed5613b0ad8ab4c47f07e52199a4edd27be40e6
MD5 hash: 3da25ccfa9c258e3ae26854391531c7b
humanhash: texas-carbon-fish-zebra
File name:setup_x86_x64_install.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:4'748'769 bytes
First seen:2021-10-31 06:31:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JlrgAU/jcyw9AW5Vry+Awi0vhXYwF0kd/JKPSSXkw:JlrtP55Vry+71rFrIPXkw
Threatray 677 similar samples on MalwareBazaar
TLSH T1CE2633DC3DE0D9B4C28B69F0EE754A480F69387639C4279AF620135CF799E08639936D
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
No threats detected
Analysis date:
2021-10-31 06:37:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97d07b3d-8d87-47d6-8eb4-1463b0a7bd57

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1f972b7-fcb8-451d-8537-488778d43bec
Result
Threat name:
FormBook SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879908
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected FormBook
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512342 Sample: setup_x86_x64_install.exe Startdate: 31/10/2021 Architecture: WINDOWS Score: 100 83 208.95.112.1 TUT-ASUS United States 2->83 85 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->85 87 5 other IPs or domains 2->87 123 Multi AV Scanner detection for domain / URL 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for URL or domain 2->127 129 19 other signatures 2->129 11 setup_x86_x64_install.exe 10 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->49 dropped 14 setup_installer.exe 21 11->14         started        process6 file7 51 C:\Users\user\AppData\...\setup_install.exe, PE32 14->51 dropped 53 C:\Users\user\...\Sun03f0dc4460bc9.exe, PE32 14->53 dropped 55 C:\Users\user\...\Sun03ea09aa5c9686e5.exe, PE32 14->55 dropped 57 16 other files (9 malicious) 14->57 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 77 104.21.94.238 CLOUDFLARENETUS United States 17->77 79 127.0.0.1 unknown unknown 17->79 81 192.168.2.1 unknown unknown 17->81 119 Adds a directory exclusion to Windows Defender 17->119 121 Disables Windows Defender (via service or powershell) 17->121 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 17->25         started        27 10 other processes 17->27 signatures10 process11 signatures12 30 Sun038aa349e3318e.exe 21->30         started        35 Sun038db98f99bf9a.exe 23->35         started        37 Sun03f0dc4460bc9.exe 25->37         started        131 Adds a directory exclusion to Windows Defender 27->131 133 Disables Windows Defender (via service or powershell) 27->133 39 Sun0324aba28588c0.exe 27->39         started        41 Sun03e4aeb7e43a1c.exe 27->41         started        43 Sun03d477f1a31.exe 6 27->43         started        45 5 other processes 27->45 process13 dnsIp14 89 45.142.182.152 XSSERVERNL Germany 30->89 91 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 30->91 99 9 other IPs or domains 30->99 59 C:\Users\...\zo2UMLFFyw1fFhOsKBkQvepV.exe, PE32 30->59 dropped 61 C:\Users\...\8qErvLA9ENHmiMD8LVHW3IAx.exe, PE32 30->61 dropped 63 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 30->63 dropped 73 24 other files (7 malicious) 30->73 dropped 103 Creates HTML files with .exe extension (expired dropper behavior) 30->103 105 Disable Windows Defender real time protection (registry) 30->105 93 162.159.134.233 CLOUDFLARENETUS United States 35->93 65 C:\Users\...\WhO56sPnILjaIgP6jHpBuy2F.exe, PE32 35->65 dropped 75 8 other files (2 malicious) 35->75 dropped 107 Tries to harvest and steal browser information (history, passwords, etc) 35->107 109 Antivirus detection for dropped file 37->109 111 Machine Learning detection for dropped file 37->111 113 Sample uses process hollowing technique 37->113 115 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->115 117 Checks if the current machine is a virtual machine (disk enumeration) 39->117 95 88.119.161.165 IST-ASLT Lithuania 41->95 67 C:\Users\user\AppData\...\1940953936.exe, PE32 41->67 dropped 69 C:\Users\user\AppData\...\source3[1].cfg, PE32 41->69 dropped 71 C:\Users\user\AppData\...\source3[1].cfg, PE32 41->71 dropped 101 3 other IPs or domains 43->101 97 94.140.112.53 TELEMACHBroadbandAccessCarrierServicesSI Latvia 45->97 47 mshta.exe 45->47         started        file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-10-31 06:32:07 UTC
AV detection:
29 of 44 (65.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mk7azjjovhv4jrlx2wl3sgpwxegoxxgcc6ox2sbkas7vompoy4qa._file
Verdict:
malicious
Similar samples:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
Formbook
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
Formbook
5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f
Formbook
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
Formbook
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
Formbook
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
Formbook
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
Formbook
+ 667 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar family:xloader botnet:srtupdate33 campaign:s0iw aspackv2 backdoor infostealer loader rat stealer themida trojan
Link:
https://tria.ge/reports/211031-hamvdaffb6/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Xloader Payload
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Xloader
Malware Config
C2 Extraction:
135.181.129.119:4805
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
http://www.kyiejenner.com/s0iw/
Unpacked files
SH256 hash:
88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09
MD5 hash:
3addf1aab7f2237dd61b6857f2832c9c
SHA1 hash:
2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
92bc70b3e7e6c99bc93dec85ecd8db8b101a766917bee4967d36b20f5522ff57
MD5 hash:
b78915e5316a375923d57cd80d805845
SHA1 hash:
5ad907aa1adc5f7899a9304b4e814b381e4909de
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
44f499be482cb0ecef999648b3c71c7e80eb419ad2919e18286c964fad2e2eff
MD5 hash:
963f0a1cb9c90ec8adc96f576ff63f39
SHA1 hash:
efea18de02054c3d70628b64c53cbfbdeae4d630
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
ade3b098610eebde1e80b634b80e196bcd63f1271f9b0a011ba4f4c4faa2db4a
MD5 hash:
562c4eeb24c6afe0277f4143140e1f3e
SHA1 hash:
ec5831d9b4b8513e6654abb4083cbf42ffaa2c0f
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
eb8ffea34c1766bf42f4118fee7407047f71815ef92dec221121baf95338460d
MD5 hash:
138a0694a61a8f01bec3075df64aba30
SHA1 hash:
db4e3180dc492536e7d6a42f086c9b2b4c133e13
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
9cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
MD5 hash:
a9b1f1220f1d5b0fe97d1e88a0bad407
SHA1 hash:
d290340d1766ac2d112973bc3928a8d7531fe1d7
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
3eca55b0cb2e8a53272241c5f76a039ae31ba7a6ea94352eee4ac42512799894
MD5 hash:
90394c6ea4407372a14bcfdc94e08435
SHA1 hash:
70ede6b3074b230ea852f0ed2bee05cf55ade2ff
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
a09756222e02eb1d3a0648de2d03375b42d466275f9a5374f7f1605af24fd039
MD5 hash:
b371b7e691f96654f1450e10e846023a
SHA1 hash:
58f0e9664d6775ab7f38b5411d3d727856874112
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
dd5471b0a905bf0fd3785935e8be602a4911350dd20d25576dc8d499bafb910b
MD5 hash:
b1f5f70665571b9b2793f396978a314d
SHA1 hash:
4a5a21c9e88517d3df30c3ee8e80393fe6ff8bc5
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
8372ea50848dcf6c254cf908c24627895a3129b40722344dc75621374c6b49d1
MD5 hash:
20fc8bc0e2aca24fd58efadf8e914e5d
SHA1 hash:
492a9d68b09bbfc2e03458d9366550fa23430a33
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
b45a4beb26727ce8175f956f937df8dc71e614867c5a9cf62f2831d9ddb8684b
MD5 hash:
2d42a2ccd841a3fc8f2eb0a323cb36c0
SHA1 hash:
1679368290fb8c0147033c56a2452724c9db16f7
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
d7e6dac7cb8cfcd1817cdc591094be5838e8848f5882601be78cffa3084dca74
MD5 hash:
9b3bda1625f99d5ac9a8645acd5d2285
SHA1 hash:
e0d2f4d390a23bea8607828cfb7de763f4409b93
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
2b6da7eb8a06121e2f5a38d1bfa47be4994c6417f6c294c9c1d38be80691a3c1
MD5 hash:
9f4894504ddbd9ff3e2ac12b11a8236f
SHA1 hash:
609365ffffc4ee23ffd0ee1e5060f1e20c2c9815
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
8ea57bdaa990685225ae6f2f88bd1508fb895302559ed6a81dfef4cea065441d
MD5 hash:
099e40b83eb7acbd0d0856ad9af3654c
SHA1 hash:
222fbf883ed59b492f0d25aacad41d21f04c2f1b
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
70a416bc97d8e5a0006f95807a84dc7c1f3d2fe368879075a340b9164490b502
MD5 hash:
3d756d9e85676ea376bcf65d77f465f3
SHA1 hash:
ea5ef5cc78bcaebaf17e88c46630faa29f276c9a
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
3a47706ed7347442eacf611fc848e18a0600e7cd5a1c501b97b0c432ba369533
MD5 hash:
031bab6562892072417dd90b262995d6
SHA1 hash:
0c6028cdfede857d03ed8a8c310c0c16490ecf24
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
919b38ffe5ad06a625e16ffbfb561fc4bfc5d9e74a000f714bdd06b12590208d
MD5 hash:
10a200409495b50264028854110c9d32
SHA1 hash:
ea2ea1cf301cf0b09a72606a5cfbcfd7f585881d
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
SH256 hash:
62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720
MD5 hash:
3da25ccfa9c258e3ae26854391531c7b
SHA1 hash:
1ed5613b0ad8ab4c47f07e52199a4edd27be40e6
Link:
https://www.unpac.me/results/b29b6ea6-1e84-418b-84dd-d61b6cee09cf/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/62be0ca52ea9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments