MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8
SHA3-384 hash: ab1231d7f974e6eb7360d7d2ee6a5a33c8bc9c4b25bef903489421f2e3fe5903824056772738aed4eb7b5fa0c5407486
SHA1 hash: 041c369abb2723b0cb5d2a27994f21cd1a82f076
MD5 hash: 6f0479fecc84863e671ae73fadb1d91c
humanhash: emma-september-indigo-spaghetti
File name:SecuriteInfo.com.Mal.Generic-S.24005.20637
Download: download sample
Signature Formbook
Create hunting rule
File size:249'344 bytes
First seen:2021-03-08 12:41:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 564f859fcbd007aecd03d8821c9b75b6 (1 x Formbook, 1 x Amadey)
ssdeep 3072:vqAA/L+3ees6NjKAG4nGHYPKs0AGkZSDXSFKfzvfd2NVvjWaiRUdhZwC5nnuzxW9:vl+ye2jhG4PK3hkZKCYx23jW/QZ7nY7
Threatray 4'107 similar samples on MalwareBazaar
TLSH 3334D010B6B1E833D5561A7A0C61C2A94E72FC949F2496C77B943F6ECE323D28E35352
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
38df43cb9db5d29c76327411c93f9427.xlsx
Verdict:
Malicious activity
Analysis date:
2021-03-08 06:42:24 UTC
Tags:
encrypted trojan exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/6dbff458-f94b-49a7-924d-0d62219cb335

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122761/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.24005.20637.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/631153
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-03-08 11:42:32 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1b9311365ac0c371e7e3656d8d9074a654bfff4677e074f754e5053bca200298
Formbook
34be61cbbae899e84afc83e9c84308d24a688bc2a38e9e496f357d75f0d2d27b
Formbook
36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
Formbook
43aa01ebbd20c81ee60bd5b6bacabcdd0a84e0aeb892c0ea18383261dbcdb0fb
Formbook
59a6f0a402a4172f893c1747b51c7e1a7d6092fe091e1a9497067849efb5eec2
Formbook
5d7395d4e9aecd39c3b6944843d929dd3cb27bbf2e97674c4b28b56239d6a89b
Formbook
8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4
Formbook
996142a80f928b834ec900bdaa02ac9890f97783cc73c10231571fa3a26a3ba8
Formbook
afb1636fdca55d626976ab954099894c7a235cbac8eb6c5ed2cf74673b86c82b
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
+ 4'097 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210308-58xxl7lz5n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Xloader Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Xloader
Malware Config
C2 Extraction:
http://www.tgofilms.com/e8mc/
Unpacked files
SH256 hash:
ea8924d31c372827b7516d92b3b64f1d00b97ceea4c51199d9a5d14cf8c60b9c
MD5 hash:
ed61b1b79a2c72caf66fc8dd76c5bed0
SHA1 hash:
00e231cbd49689d6ceb491f8434fd07dde7c5477
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f3a0e2a7-c0dc-44bb-aca5-2dc106740ea5/
Parent samples :
6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8
56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8
c9ab023170f993a0fa7889aceffcd8d85ce9f43dcb14bca321f95c6148e679e3
SH256 hash:
6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8
MD5 hash:
6f0479fecc84863e671ae73fadb1d91c
SHA1 hash:
041c369abb2723b0cb5d2a27994f21cd1a82f076
Link:
https://www.unpac.me/results/f3a0e2a7-c0dc-44bb-aca5-2dc106740ea5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1054076/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122761/

Comments