MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
SHA3-384 hash:	ac4e5bceca3d456a0d645324325fc6e57b19a127228d76c761bf24648d775332ba5a1f6d8d1088a966bf4ce39acdb81c
SHA1 hash:	689a97e2c83d0e84aeca38c1330245149ef5ed0d
MD5 hash:	50439fc35eaebb32f1fdeba8ef12e7c2
humanhash:	winter-solar-echo-india
File name:	7nMMSdGgCXAfKsb.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	953'856 bytes
First seen:	2021-01-18 08:01:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:hw2ut5cBAIiXx/pWs6meqxwR+vjNV23jLsHiclsN/:2UiXx/d6meduRXHk/
Threatray	3'454 similar samples on MalwareBazaar
TLSH	8315B13D61B44A1EE4386FF359E8838C8BA9EE19152EDE0AFCF136F6D5717018606712
Reporter	abuse_ch
Tags:	exe FormBook Yahoo

abuse_ch

Malspam distributing Formbook:

HELO: sonic303-20.consmr.mail.sg3.yahoo.com
Sending IP: 106.10.242.37
From: joy sales <salejoy43@yahoo.com.sg>
Subject: : Fwd: Wire Transfer Payment
Attachment: PAY-IN 008CX.rar (contains "7nMMSdGgCXAfKsb.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7nMMSdGgCXAfKsb.exe

Verdict:

Malicious activity

Analysis date:

2021-01-18 08:11:37 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/095dff8f-115b-4f78-b2d4-4da7b56f9d6c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/112443/

Detection(s):

SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/583444

Signature

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-01-18 05:52:44 UTC

AV detection:

7 of 46 (15.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mxfebzckwylrpffqzaoyxaaseyco745murqusap42mg3djjstt5q._file

Verdict:

malicious

Label(s):

formbook

Formbook

43240f1dfbde94a0fb438b295e6ddb3ef5aa5ef82f42222312f2eb49b91f9de8

Formbook

518023c16668547a3d37cd93ca34ae6697364dd838c8538d6de80441f2b6c1bd

Formbook

63289870bb6e2bbb13afd47bf630c048e593afacc5c968939855f85ca5022ea4

Formbook

8b8fbe6805c361f5b04a198e8549a9797233faf4b9039004ebab000de593608d

Formbook

a7df5fff3eb06082036dd6634fa7c5022c48ae5438e5cff66bc500906c16597e

Formbook

b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a

Formbook

c826a0b0506ddc4d93aba9f41ed795a88cca8bdb8c54f4af5d8dbdf9767e9ad3

Formbook

ceb2632fac30996ac58a50455d968873321f7a18972db02e9535b485a3b0e2f7

Formbook

e49c51a6864bf50e27baca58c5a2420046cae1803c5e0338af152b50d0dcc215

Formbook

+ 3'444 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210118-g876544t1a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.besteprobioticakopen.online/uszn/

Unpacked files

SH256 hash:

1820c232000eaca2b342006581d1e0743ff2166f57f917b8691901867e7ad3e0

MD5 hash:

cc0ba93bd12ee998cacab013043ff2c6

SHA1 hash:

c5ca7761965d1eedceaab08eb3bc06963292bd87

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/def1dd1f-d9ce-4244-91ad-fd73f5027a9a/

Parent samples :

65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6
f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619
17adca833d9ccaf731ac41830d08db7b447ff391ce54052532d4d90fb4594a40
c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24
ddaa3b6f19f3e7b9a6e8ebe8188ceea0d1bb0c285a0b2d783c8d0cc7005e37a6

SH256 hash:

232c4a2b3e780581f756cfb09310d92748331b3354a2156bc7027ef5e8ccab97

MD5 hash:

1a21af697dc5e1f378b3115b2ba00f60

SHA1 hash:

fe45f9a0dded9ccf3af215c4ce43e692d31dd946

Link:

https://www.unpac.me/results/def1dd1f-d9ce-4244-91ad-fd73f5027a9a/

SH256 hash:

59e25f5fca500fa4173ceabed6e12d65c878dae008298b2e18b2a819d8767a61

MD5 hash:

527049756ec7526dddc4ecb4ae0e1d50

SHA1 hash:

7879155e5464b953b9507ee2ec54608086b9c47b

Link:

https://www.unpac.me/results/def1dd1f-d9ce-4244-91ad-fd73f5027a9a/

SH256 hash:

65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb

MD5 hash:

50439fc35eaebb32f1fdeba8ef12e7c2

SHA1 hash:

689a97e2c83d0e84aeca38c1330245149ef5ed0d

Link:

https://www.unpac.me/results/def1dd1f-d9ce-4244-91ad-fd73f5027a9a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar deec4106a11fa81a351873db1d654e4ec6673329aba643939e7e0780f1f5d1ca

Formbook

exe 65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb

(this sample)

Dropped by

MD5 b8a4179d3c3bd4c7ca0716234f35ffaf

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/112443/

Dropped by

SHA256 deec4106a11fa81a351873db1d654e4ec6673329aba643939e7e0780f1f5d1ca

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample