MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2
SHA3-384 hash: b97645bb2d3101f401569d8fbe7c0a12d0e956390f7cd18417d9123fd504a8511be0151495723240954b6f4b855c563c
SHA1 hash: 28ea752d2f13934fde381a85647dfc368f909372
MD5 hash: b0fc8a096f32d026dd685bbf1a6abf50
humanhash: east-high-utah-mike
File name:Consignment Details.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:199'168 bytes
First seen:2020-12-10 14:32:09 UTC
Last seen:2020-12-10 16:40:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40fb14010c25fc08b8989b0ac4adcfc2 (2 x SnakeKeylogger, 1 x Matiex, 1 x Formbook)
ssdeep 6144:3FW+E5n6EPtJJ2TxqtOta7QqLgLybgQUpmXkRE3weG2j4:1Wx6EwxmfQqLgZQfXdgV
Threatray 3'147 similar samples on MalwareBazaar
TLSH 17140243F210A0EAD1280771CC65FA682267FF7A45602857AD8B7C1F7AF328359D9D4E
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
28ea752d2f13934fde381a85647dfc368f909372.exe
Verdict:
No threats detected
Analysis date:
2020-12-10 14:49:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2560a666-8ecf-4122-ac07-1fc22c4ee904

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107651/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.cc.11812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2020-12-10 14:32:01 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mutkp3wzj5n77cq4rm6z2cwkeavxeebo3n565qegit7zxidoadra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2bda7325843b48687e064e2abeeef3f5eae5865fceccbbb0ad5229fcf624bf40
Formbook
80647f6b0ee0d8b14ba78bbd6cbfdf6e332692af7eb0f3348fc76facc4ad23ef
Formbook
84cb3c9404d520f05f868b550697de2803c587b02fc156764c953a12a227e4d7
Formbook
9166caa8818f4cc62ac7922d901d396e17c0ff0867c48d52bd891b05121abafd
Formbook
debe2f7e0f2e18dff0c54f3809c66256f5741b5cf9e13e065593c005db9c22de
Formbook
e4a37068ee17c112f9d33e3151e260f85e9a8b200b4958caf569cf6076447ea1
Formbook
e78b5071209858cdcb5ce02f7df3c3fb857088f7088b964791d289c789451e67
Formbook
e973f018b330b3afa0ce25d89e8e5eece3d187309e27265718cd333c28332c0b
Formbook
edb4639fe2eeb567856790fc73f716baeea57ab54fc91e31f49309009978de55
Formbook
f38659e0b47cf0d1c0a61aa87256fdf60d04b2f41a935995b2346849f2f6b246
Formbook
+ 3'137 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201210-rxwxvqcgn6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.otmpics.com/bhg0/
Unpacked files
SH256 hash:
6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2
MD5 hash:
b0fc8a096f32d026dd685bbf1a6abf50
SHA1 hash:
28ea752d2f13934fde381a85647dfc368f909372
Link:
https://www.unpac.me/results/66af1450-d3d2-42bd-a1a4-7b6b997d31d9/
SH256 hash:
cbfe081a5bd1f1d45ecf980c8f003cef5ca2ca9847655ff9b983bec89d69d233
MD5 hash:
09e245db5e88244f5eb4da5783002e2a
SHA1 hash:
7ba1402a1bdda4d5b7d6f503662136dc85549663
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/66af1450-d3d2-42bd-a1a4-7b6b997d31d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/107651/

Comments