MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bd5e5d02430922bfce2893c805028ae0374fee203235b379856f8bc5f574a76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bd5e5d02430922bfce2893c805028ae0374fee203235b379856f8bc5f574a76
SHA3-384 hash: 724c50f05d2d5461c043681777d1bda38234e26334edada7b66dfcf3027d30d04c2f42cff5865af145c7640fba6f0a89
SHA1 hash: 55e76c4988018dc93df899e2cda607418325910b
MD5 hash: 93b2ca391610d14085551d30b9b4dba8
humanhash: chicken-yellow-coffee-sad
File name:14500.50.Deposit.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:729'600 bytes
First seen:2021-05-05 13:19:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:vTMU6BDIVI4L3Ew37WQl1LvxthdAKPVaOtr4By0haW5m0MTZNdC:vTeDR4L31pLrX4TAWVMte
Threatray 4'966 similar samples on MalwareBazaar
TLSH 59F423C9139811A5C3AAFB7E6474825413BCE14BEB2ECA3C3F5B415C58D76024792FAB
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/150623/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6bd5e5d02430922bfce2893c805028ae0374fee203235b379856f8bc5f574a76/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 13:18:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=npk6lubegcjcx7hcre6iaubivybxj7xcamrvwn4yk34lyx2xjj3a._file
Verdict:
malicious
Similar samples:
03735650255866b1c2592bcb4567cbcb2b9d23eea5430d2e7d7c6315abadb5ad
Formbook
489e0e46a5df58a3144cd7a3ecb1fd0e29aa2db5060084ec774f1d2c8c763fd9
Formbook
63b94415ccf2fabff3be3a811ded9a5306d68ac197adc07d7c2be3b313e8a665
Formbook
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
Formbook
95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4
Formbook
a3d951fa76fbb0f24540b97767e2d327b9bdb2e6e93721cb3da4ac5370118dbc
Formbook
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Formbook
b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
Formbook
e4938a8244543631ae11deb46e8b4cc3f0a8b8b7c2d4a1246f5bfadb29e0094c
Formbook
e6e9f774351440aef9b0b309282155ad0258f6e97da820170384454711e4bef8
Formbook
+ 4'956 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210505-czryzkxe86/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.torontoroots.com/bfos/
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/1d747bec-f55c-46cf-a472-b0b12b942992/
SH256 hash:
6bd5e5d02430922bfce2893c805028ae0374fee203235b379856f8bc5f574a76
MD5 hash:
93b2ca391610d14085551d30b9b4dba8
SHA1 hash:
55e76c4988018dc93df899e2cda607418325910b
Link:
https://www.unpac.me/results/1d747bec-f55c-46cf-a472-b0b12b942992/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bd5e5d02430922bfce2893c805028ae0374fee203235b379856f8bc5f574a76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/150623/

Comments