MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
SHA3-384 hash: 71825036ce074c861b20f10cf130ce5f34c4410d538caac5315648fbf2f763d225926633c6774dc106d7658e91eb6a44
SHA1 hash: a477ae983254fe49643e050ea426439378f81d43
MD5 hash: 7d68426ec31e1bc7c5e12a9e23837173
humanhash: social-fruit-enemy-william
File name:7d68426ec31e1bc7c5e12a9e23837173
Download: download sample
Signature Formbook
Create hunting rule
File size:697'856 bytes
First seen:2021-12-02 17:21:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbc9c0e1dd018627fbe5726a5fc2ba6c (4 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:CIEpAb3iVUYfqUe+L7JMlbv7fkgD8BcFcePyaW:CI8G3DYfq9+hMNTM08Cbm
Threatray 12'350 similar samples on MalwareBazaar
TLSH T13DE47D71BAD09D73C86B2A74CC47FE9C68367E512E997A8935F4A8CC4D383027A1B447
File icon (PE):PE icon
dhash icon b670390284e2da70 (14 x Formbook, 3 x RemcosRAT, 3 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4514808437.xlsx
Verdict:
Malicious activity
Analysis date:
2021-12-02 17:24:30 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/3eada865-054a-42b9-89fd-78e4af8f538e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210832/
Detection(s):
SecuriteInfo.com.Trojan.Win32.BestaFera.7c.7325.4767.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Searching for synchronization primitives
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/576/overview
Behaviour
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/61a900be707a51cfe28b97de/reports/f04e8252-7ece-40a0-9b0f-72f7bf5e3071/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/27dcfdbb-1516-448d-8caa-bdfece67b3ab
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900351
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532825 Sample: QLwP5W3pt0 Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected DBatLoader 2->78 80 2 other signatures 2->80 9 QLwP5W3pt0.exe 1 17 2->9         started        14 Esfjmbxd.exe 14 2->14         started        process3 dnsIp4 46 onedrive.live.com 9->46 48 kq7x1q.am.files.1drv.com 9->48 50 am-files.fe.1drv.com 9->50 38 C:\Users\usersfjmbxd.exe, PE32 9->38 dropped 96 Drops PE files to the user root directory 9->96 98 Writes to foreign memory regions 9->98 100 Allocates memory in foreign processes 9->100 102 Injects a PE file into a foreign processes 9->102 16 DpiScaling.exe 9->16         started        52 onedrive.live.com 14->52 54 kq7x1q.am.files.1drv.com 14->54 56 am-files.fe.1drv.com 14->56 104 Multi AV Scanner detection for dropped file 14->104 106 Machine Learning detection for dropped file 14->106 108 Creates a thread in another existing process (thread injection) 14->108 19 logagent.exe 14->19         started        file5 signatures6 process7 signatures8 58 Modifies the context of a thread in another process (thread injection) 16->58 60 Maps a DLL or memory area into another process 16->60 62 Sample uses process hollowing technique 16->62 64 Queues an APC in another process (thread injection) 16->64 21 explorer.exe 16->21 injected 66 Tries to detect virtualization through RDTSC time measurements 19->66 process9 process10 23 Esfjmbxd.exe 17 21->23         started        27 msiexec.exe 21->27         started        29 colorcpl.exe 21->29         started        31 cmstp.exe 21->31         started        dnsIp11 40 192.168.2.1 unknown unknown 23->40 42 onedrive.live.com 23->42 44 2 other IPs or domains 23->44 82 Writes to foreign memory regions 23->82 84 Allocates memory in foreign processes 23->84 86 Creates a thread in another existing process (thread injection) 23->86 88 Injects a PE file into a foreign processes 23->88 33 DpiScaling.exe 23->33         started        90 Modifies the context of a thread in another process (thread injection) 27->90 92 Maps a DLL or memory area into another process 27->92 36 explorer.exe 128 27->36         started        94 Tries to detect virtualization through RDTSC time measurements 29->94 signatures12 process13 signatures14 68 Modifies the context of a thread in another process (thread injection) 33->68 70 Maps a DLL or memory area into another process 33->70 72 Sample uses process hollowing technique 33->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 17:21:31 UTC
File Type:
PE (Exe)
Extracted files:
97
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
Formbook
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
Formbook
5c175aad872d219fa23de0c83ea085fbdca8d76601167089b4e55ee66d520276
Formbook
6c6411e168c6e04022e9314130b25ae03380de6791d6a801f150679fddb64934
Formbook
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
Formbook
b8dc1db94b5752524bd51980516ac00c095ef291ca89d8096db6cb4b4dab91b6
Formbook
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
Formbook
c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
Formbook
fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae
Formbook
ff577215d4aaa29ae63860167282ceeb0a703daadfdaef2155102500c269caa2
Formbook
+ 12'340 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:fu6b loader persistence rat suricata
Link:
https://tria.ge/reports/211202-vxkpraagdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.agirls.space/fu6b/
Unpacked files
SH256 hash:
68ae5ffe5ad2069a531d80461d6f5ad6c210d0a19075a193894b95392827bec3
MD5 hash:
2cdfa8240841b03c9e440fbecf1ab6a8
SHA1 hash:
5f11ffeb002745eab78b1432e49adf6caf76286a
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/6fd41c73-9574-4fd8-a3f1-b4d45b360f46/
Parent samples :
6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8
7ef8b67819945bc8f480ca064b5e3f5a330b6744d47d24b5d1c0214ca65724a3
d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd
7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44
897d218b958ece913adb5670a36e54f96f7d5279174c21f11cef92e31876a772
1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
a6a14f198c4aecd3c93a2e2dbecefb7f56643c231fc6eb685c5006eb825c591d
SH256 hash:
7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
MD5 hash:
7d68426ec31e1bc7c5e12a9e23837173
SHA1 hash:
a477ae983254fe49643e050ea426439378f81d43
Link:
https://www.unpac.me/results/6fd41c73-9574-4fd8-a3f1-b4d45b360f46/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7195589ba87f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210832/
  
URLhaus
https://urlhaus.abuse.ch/url/1845217/

Comments


Avatar
zbet commented on 2021-12-02 17:21:37 UTC

url : hxxp://198.46.136.201/1100/vbc.exe