MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c03c06e1fecca519e1c8dcc0ed68788b0b11bbdb56c328ef44361a5ff8f84ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c03c06e1fecca519e1c8dcc0ed68788b0b11bbdb56c328ef44361a5ff8f84ce
SHA3-384 hash: 2887484828e9cd1429f9a7b2621520e902cdef7be55a8b967db689a8fabe6013c62b1deed9cc372bbb8c63173692f5a7
SHA1 hash: 72a8aaf4d21f3cb45a3852875d056e6d717a7c11
MD5 hash: 5e08d507e047ef1189ae706a0af9e3da
humanhash: oven-berlin-seven-floor
File name:5e08d507e047ef1189ae706a0af9e3da
Download: download sample
Signature Formbook
Create hunting rule
File size:6'144 bytes
First seen:2022-09-21 06:16:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 48:6KYPek1V5jxgteaFbxKHTDnwMZOYRKzEN+IkUdYzVsA4/L5hpsVtiOlK7qFWtFnU:eOoa9xKHHnmG+HUOzVmNYMBFnU
Threatray 14'497 similar samples on MalwareBazaar
TLSH T146C18225A7DA472BED624BB99CB363D113BCBB176C63C76F8D80610A5C916980C60FF0
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e08d507e047ef1189ae706a0af9e3da
Verdict:
Malicious activity
Analysis date:
2022-09-21 06:24:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67f12e58-8e24-418b-bc54-bc2238e9672a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311965/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.18774.9648.10711.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632aac89b333b2ec6b3d0966/reports/d049d12b-8e47-45ac-b724-0b87733dcb80/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2498a780-e9e0-4b81-ae33-53d59e696874
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074327
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 706870 Sample: pjY49SMAoJ.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 34 www.vybzhighmusic.mobi 2->34 36 vybzhighmusic.mobi 2->36 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 8 other signatures 2->46 9 pjY49SMAoJ.exe 16 7 2->9         started        signatures3 process4 dnsIp5 38 207.167.64.122, 49696, 49698, 49699 UNASSIGNED Reserved 9->38 28 C:\Users\user\AppData\...\Tvlfbcad.exe, PE32 9->28 dropped 30 C:\Users\...\Tvlfbcad.exe:Zone.Identifier, ASCII 9->30 dropped 32 C:\Users\user\AppData\...\pjY49SMAoJ.exe.log, ASCII 9->32 dropped 52 Encrypted powershell cmdline option found 9->52 54 Tries to detect virtualization through RDTSC time measurements 9->54 56 Injects a PE file into a foreign processes 9->56 14 pjY49SMAoJ.exe 9->14         started        17 powershell.exe 16 9->17         started        file6 signatures7 process8 signatures9 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 19 explorer.exe 14->19 injected 21 conhost.exe 17->21         started        process10 process11 23 Tvlfbcad.exe 14 2 19->23         started        26 Tvlfbcad.exe 2 19->26         started        signatures12 48 Multi AV Scanner detection for dropped file 23->48 50 Machine Learning detection for dropped file 23->50
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c03c06e1fecca519e1c8dcc0ed68788b0b11bbdb56c328ef44361a5ff8f84ce/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 12:21:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqb4a3q75tffdhq4rxga5vuhrcylcg55wvwdfdxuinq2l74pqtha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
11d6dbe5acd0b8db0a0b9bdb4ffeac6da2a896de2ef7e546fe104c9520e0f88e
Formbook
14ae647473cbf4def9becdbbb1f007fd8c96c63be5c88014415ab13e6467168f
Formbook
151fb5746b08b95408b92e08f4bbeac8c4a1a3fc3ad6f43d237357f10476b33f
Formbook
2c8f1f62d57e6d36c840fc24c6366d5ddc4f5084c0ba6abfa8a5db059c7cce3b
Formbook
6c3193fce2bc8edb1884269cc6c43445db0c8a7ca04d89605d588a72510b3ca1
Formbook
7b6d0544e8a91acc2ccfc8578a849e0726df02700c5909e8fed955199ac2a945
Formbook
8738509150857d74d2b7ce825078911b7c08e878269d5f870dd59131f0d7ec9a
Formbook
899f801815e4ba5e7ee8ec00280e479d30143bb34f02896273e203e88ae82c92
Formbook
a78ac1e6deb7edb4755cc6e128ce627b313abc8f85a0729da86d2b8761f497bd
Formbook
+ 14'487 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:poub loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220921-g12wjsfed4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Xloader payload
Formbook
Xloader
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6b6c4e3-cb62-462e-b162-2b2eb62300d1
Unpacked files
SH256 hash:
6c03c06e1fecca519e1c8dcc0ed68788b0b11bbdb56c328ef44361a5ff8f84ce
MD5 hash:
5e08d507e047ef1189ae706a0af9e3da
SHA1 hash:
72a8aaf4d21f3cb45a3852875d056e6d717a7c11
Link:
https://www.unpac.me/results/36b3eb8b-cdf3-4a6f-8a69-1e1008dd2202/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c03c06e1fec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6c03c06e1fecca519e1c8dcc0ed68788b0b11bbdb56c328ef44361a5ff8f84ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6c03c06e1fecca519e1c8dcc0ed68788b0b11bbdb56c328ef44361a5ff8f84ce

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2308905/
Cape
Cape
https://www.capesandbox.com/analysis/311965/

Comments


Avatar
zbet commented on 2022-09-21 06:16:37 UTC

url : hxxp://207.167.64.122/Vcgkusne.exe