MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073
SHA3-384 hash: dd7bfa06fd53a04e45e90f160402c49145c683e130c19b26b16514f64d81d6cf41a366d5037da48818b0bc02ecf85a7a
SHA1 hash: 026dbec6438da97c15811b329f474aac503aa47f
MD5 hash: f52e6227038fd13f5351dff792517096
humanhash: october-yankee-bluebird-glucose
File name:f52e6227038fd13f5351dff792517096
Download: download sample
Signature Formbook
Create hunting rule
File size:685'693 bytes
First seen:2022-01-27 13:52:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:VwVpkNz07AFqVzGxQws5Zlllx9f6qyVwr1p1dfs2XoYHdSSi:gKnaZ7lx9fc6s2X19SSi
TLSH T1B2E4E81D9DB5D04FC447AEF52A68DB3614142D7C6B06416232E9B6EEF6323F868A313C
File icon (PE):PE icon
dhash icon f0f0e8e8e8e892a8 (7 x Formbook, 3 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f52e6227038fd13f5351dff792517096
Verdict:
Malicious activity
Analysis date:
2022-01-27 22:59:13 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c5ce04ec-9d0e-4ab3-bd9c-606e7f492f1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/224344/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f2a39920a5f4d327d3f15f/reports/efa3b84f-3313-4b37-ba6a-39493f68e9fc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbbc1b5c-3ce1-43a9-8766-d68c65d58029
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/929012
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/76206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-01-27 13:53:10 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nt3f loader rat
Link:
https://tria.ge/reports/220127-q6e4eaebg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
db357e3324b7ea2cbf32ad11d12e7402315901958b911698bcfb3eb6d9261090
MD5 hash:
5e765ad9a77e752a0e193d32076b1c47
SHA1 hash:
5a15a8afab2b787bd86bc665896facc76215a3a1
Link:
https://www.unpac.me/results/081e7b93-ab27-4839-b704-08457b37d1a6/
SH256 hash:
92a63ebf358a3b9b4a6b0dfe68fecb20ae91e7eac78aa3c686566842ca5c72c7
MD5 hash:
22a24d63a7b29cd5e2c1ee006f9804e1
SHA1 hash:
9e8c02cf0c2af9a608f04261952478641149846c
Link:
https://www.unpac.me/results/081e7b93-ab27-4839-b704-08457b37d1a6/
SH256 hash:
149fddd6d60737e0e971c03111a4bb582ca16a8f08c838e73371163191cd17d5
MD5 hash:
40056abcdc0a75b7b51b5c08b8db3c07
SHA1 hash:
05eed606a5cd55f7c72de355fd1f7ba753c9ade4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/081e7b93-ab27-4839-b704-08457b37d1a6/
Parent samples :
44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5
e4999525a5626a76247a8f02a9e08c0ea35f13f717687b8a966cddb72f8adc6f
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
d838565cacb24cf211b9d5f72bb302a65cdab4a9b5a741385ce5efdbbdff0098
da99d68a728c3a14d186c03c30b551914fe57073f231d334be7955131cb5f921
ee5dd80f9946c3b8221409e1aed242cd36a8188850718f89722b48404906275e
ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3
76206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073
ae89b5ad57da10b0c320c7ec489f66cd5e5888458d9dd8430d438df4a68456af
0377503f9ea4c7434be2f46af869900b9839be33121edcbdeeae9b8d8e0cdcce
11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41
0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f
12876a9ad6e0bd4cf0d4fd1edbc14eedf3bcc96bee95391bad387893bb07fa8c
60ba049b8af0c51a8dfbc45cacedef4180000b7739c937d22d8cbd66d4c6a8a8
0418190aadd19ac9ea51c98d516f178ce5378a5d4354d44a9b49ac814b49325e
33b08940d5a2fdd70c73fddf7e359193eb86a1d42e7cce27dba02718b7279c49
SH256 hash:
76206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073
MD5 hash:
f52e6227038fd13f5351dff792517096
SHA1 hash:
026dbec6438da97c15811b329f474aac503aa47f
Link:
https://www.unpac.me/results/081e7b93-ab27-4839-b704-08457b37d1a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/76206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 76206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2009380/
Cape
Cape
https://www.capesandbox.com/analysis/224344/

Comments


Avatar
zbet commented on 2022-01-27 13:52:05 UTC

url : hxxp://13.51.173.111/400/vbc.exe