MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0
SHA3-384 hash: ca94ee031deacdb51c1d8b5e6cbf2da6a7f69061430abfde0f33fae219cea97c733c3d74c94baae76d5ddf806341460c
SHA1 hash: a227150d865fd8c5c1af938654055bc68c59de4a
MD5 hash: 6cd0a4f10dabb456456d0b7336f13116
humanhash: fillet-quebec-king-beer
File name:6cd0a4f10dabb456456d0b7336f13116.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:376'832 bytes
First seen:2021-08-25 12:01:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 6144:N4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0PzL:GXe9PPlowWX0t6mOQwg1Qd15CcYk0Web
Threatray 9'350 similar samples on MalwareBazaar
TLSH T13F84124548C5CCE2E71AB375D0B3CF9819667832CCD56B689354EA2EB870243B853E6F
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6cd0a4f10dabb456456d0b7336f13116.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-25 12:10:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e90de689-a70e-4fd5-b51a-fb7e30d0ac51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182311/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b86c24c-efdf-45ec-a248-20c1f13ac9a9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/839013
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 12:02:14 UTC
AV detection:
13 of 27 (48.15%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
39d6d6751f8690fc26a41d18d14f076fce5cdffeceecdd1738d731e4ce7ddda5
Formbook
47084efc1f6a0205db28ae519b750bb03bbfb310609f9924e999e47bd99838dd
Formbook
537a1b1e9a633875a74664967b2e62803f01b619fb26df9b4762b6795ee1b0ec
Formbook
56037f063f73db6d972501996ef47add6b861c01140c3d8d51cc08de64b3d73a
Formbook
84679ca59603f405a5096114188af75d5dcc3680ef795e446bd358f48cf12046
Formbook
a456a011d3554d95939f148a5bd1e46c5fc13cdf3e35e76da3d9117903bf89b5
Formbook
b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
Formbook
+ 9'340 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:dy8g loader rat upx
Link:
https://tria.ge/reports/210825-gh7khqnw2j/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.extinctionbrews.com/dy8g/
Unpacked files
SH256 hash:
8ee1e5bc7bb89fdcab2debc9290cf8a9e535286b06d5567933f8b163d0b962b7
MD5 hash:
e23b23e6cc22a01398993147ca04b5ea
SHA1 hash:
b2bba652da975b9e58708be1636490363ebffb3c
Link:
https://www.unpac.me/results/6c3f58cb-e591-4a30-9c32-f536afb3bb7b/
SH256 hash:
71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0
MD5 hash:
6cd0a4f10dabb456456d0b7336f13116
SHA1 hash:
a227150d865fd8c5c1af938654055bc68c59de4a
Link:
https://www.unpac.me/results/6c3f58cb-e591-4a30-9c32-f536afb3bb7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1562681/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182311/

Comments