MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8
SHA3-384 hash:	e6f242d739c0ae8628ed61523c8db36eed71eb5fc588dea5c3b7609de93ed0a14b72502b1d81ab1a49366e3e979db07c
SHA1 hash:	689aa46c42c440b86e7a11a18bca0c4c6afd9c0e
MD5 hash:	1c41d0198adc92df0a83e60c27c76c78
humanhash:	timing-avocado-nitrogen-wolfram
File name:	SecuriteInfo.com.Scr.Malcodegdn30.6728.20182
Download:	download sample
Signature	Formbook Create hunting rule
File size:	645'120 bytes
First seen:	2022-04-18 11:43:01 UTC
Last seen:	2022-04-18 12:41:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:xnZHHEPo3PUuUSc6AdkuqV3wuEW2ypRxRWj:xZnEPonoawe2yVRS
Threatray	15'005 similar samples on MalwareBazaar
TLSH	T169D4BD88AF46C00EEA953D37688195F483E2EE015C4EF58634F8378E65B6FE7C5A0706
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	06b080940880d104 (12 x Formbook, 8 x AgentTesla, 5 x Loki)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

286

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/264314/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.6728.20182.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/625d4ecbffe27d5119feade2/reports/c122cab3-a2ec-4b41-95a0-e1d9e577e350/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/71337755-179d-48e8-85ae-b87bc6a44559

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/978165

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-18 09:29:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n72awlwyiuqoge2yqhd2ggsj6kqjklq626uxhfjhwfqzxs3ozd4a._file

Verdict:

malicious

Label(s):

formbook

Formbook

15f6f8d6c24f2a386dfa3331b075e27e0541fcee3af502a28c49e9c3b7441d4b

Formbook

8c1de309eaa9d9a48f92587f93f88304ae1aa48aee62e7ede11893f1ca61775e

Formbook

8dce368d13b52cf207fa4139ed76adb6cc547ab99de8c3f6e5a5cbc6e391d26f

Formbook

95c6926c4af01e7a782b16967a66b3c349f24a6ab2393b1a20c47e28a1ad7249

Formbook

97e3431b489d64fb200c178334d0229cea2495e7f01856ac8571e4f085636b73

Formbook

9c6a6119bc7008246685cb9960fe21969a8bfbbea6659e6e0afa329358c60a50

Formbook

cb296d796191037eb6101d0054d226c34dd64996aa8a9d12bf56517e6d5e6705

Formbook

+ 14'995 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:nd04 loader rat

Link:

https://tria.ge/reports/220418-nvl2gadhdq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

e38623b1395f59052d1bb12d889f9656d875b4718490678efcfa693ef204756b

MD5 hash:

aeb1ffeae0ec51c4d4e0dd96953c39fc

SHA1 hash:

6454046d14776fb6dec231da503ea32033cb8bc6

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f39d5a04-ab8e-4acc-bffa-d2962b0a3fc9/

Parent samples :

6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8
37b917980a25374058247c7dc8f63393dcca983fc522bef8d2be422206d9b865

SH256 hash:

af1f5074eff36653e6d54c5c7aabf990aee2cc70a72db4cfb1707e452349c574

MD5 hash:

fc0ae7f6d4aa4aa2c27c26407936ec3d

SHA1 hash:

dfa9b61be7f02298605ffe7e007617016c9bfc2b

Link:

https://www.unpac.me/results/f39d5a04-ab8e-4acc-bffa-d2962b0a3fc9/

SH256 hash:

4d262d3d3108bcce3726e1c3e523e2e43c7419f3de6d203a24dc18585e359407

MD5 hash:

3e52ddde0be610d49b4e6a12b45105d4

SHA1 hash:

aff77b8037fd449028ceaa48f21d4f7496a04502

Link:

https://www.unpac.me/results/f39d5a04-ab8e-4acc-bffa-d2962b0a3fc9/

SH256 hash:

235d0b5e525eeddbfc2ff82ab091d3ae79dab39ea0c349aa5a95d8857875874c

MD5 hash:

1c68d45c081e0a00f4dbab79b43e6682

SHA1 hash:

8b65653d8a766a8a323f90be8bdb272d3e5b0eae

Link:

https://www.unpac.me/results/f39d5a04-ab8e-4acc-bffa-d2962b0a3fc9/

SH256 hash:

6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8

MD5 hash:

1c41d0198adc92df0a83e60c27c76c78

SHA1 hash:

689aa46c42c440b86e7a11a18bca0c4c6afd9c0e

Link:

https://www.unpac.me/results/f39d5a04-ab8e-4acc-bffa-d2962b0a3fc9/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6ff40b2ed845/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/264314/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample