MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 776233fa1eb951f0d8ea2d27b0da36048e6a17e1dabac5714074152ae68b8958. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 776233fa1eb951f0d8ea2d27b0da36048e6a17e1dabac5714074152ae68b8958
SHA3-384 hash: fbcd7e516a1a1e7e9766fbc97012e2aaf14e79e31b8e149bdfaf65983b3b48d01934b648f14795e6d8075335822f6f64
SHA1 hash: 5f4571ab816dd3a821813506a71634a241fe9851
MD5 hash: 1758bcfd90c89363006dd14849916afc
humanhash: ten-hydrogen-single-quiet
File name:1758bcfd90c89363006dd14849916afc
Download: download sample
Signature Formbook
Create hunting rule
File size:840'704 bytes
First seen:2022-02-17 18:23:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:T5VkoIbrlIxajJuCiVMK0k1OIOq5KGJJh6eekwH92whnlKmBfLwmeWNXRg7:MbrlIxaAVVdz1OIOq51LekwH9BxEmq
Threatray 13'734 similar samples on MalwareBazaar
TLSH T1DB05BE5631FF1056C7A2EBF10BD8E8BF866EF173120F763935812A5A8376A40CA42775
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242364/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.57439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware obfuscated packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/620e92a7ac8ad0468b4cdc47/reports/f8a0fc22-44e8-49a5-905b-bb4dec934799/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea58a77d-f103-4c35-81bd-acdbdcb59d1a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941813
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: CMSTP Execution Process Creation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 574292 Sample: t0w567XL7l Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 8 other signatures 2->36 10 t0w567XL7l.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\t0w567XL7l.exe.log, ASCII 10->28 dropped 46 Tries to detect virtualization through RDTSC time measurements 10->46 48 Injects a PE file into a foreign processes 10->48 14 t0w567XL7l.exe 10->14         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 17 explorer.exe 14->17 injected process8 process9 19 cmstp.exe 17->19         started        signatures10 38 Self deletion via cmd delete 19->38 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 22 cmd.exe 1 19->22         started        24 explorer.exe 1 150 19->24         started        process11 process12 26 conhost.exe 22->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/776233fa1eb951f0d8ea2d27b0da36048e6a17e1dabac5714074152ae68b8958/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 05:49:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
48
AV detection:
29 of 42 (69.05%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3446a9d1fcd21b6e219220379f6b82cccf3cb967b9af1f9e91fa511e90eab639
Formbook
47d424c280738861bd8cf731e43137dc875d186cd277c6db8ab98f3e74453022
Formbook
6667380c74ccc01901ae2ae234ca53eba30ab8b27c007ce2b403aefcc11ce871
Formbook
6fe7cb8d05e0efd14937d31beb7ec072791d84020ceddd9ed70bce5b3c9f1aaf
Formbook
75e52fcffe8c57f96f521a16c80c3cfc75770ecd0f929cb88d1d4ed6f9d6e923
Formbook
9c4f8b76224562025127d622105346856558b314a57bf42fac2d7bf61de8b22c
Formbook
a5ed452879d2a8707bf07a7008c9e5be3c0cd924f089fa53811bd52a7790be38
Formbook
b5ca813a9176c8f6eb9394308c56858d9e27300f9c5a75c82eceae96b8defd83
Formbook
b744ce05ac972c78665248d8ddc39cc6779639233531957d7e93d1970fe42126
Formbook
f3a2d8b0fe1ccd8d1deb057efd255a123444b0298e24d0aabe385136580accdc
Formbook
+ 13'724 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:qr26 loader rat
Link:
https://tria.ge/reports/220217-w1gb6sebaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
b13b0f84db2619bbac3160fe807bc7b940ad44071890dbfd4939169c932d6036
MD5 hash:
d62ca7cc3b980ac363233ca0bcd779b3
SHA1 hash:
179a19894fc3f37c9798c269e92394900a9a77c9
Link:
https://www.unpac.me/results/18f8b05e-45f1-4949-9bf2-2ae9d1d0d010/
SH256 hash:
696791e5c3a3b2e4265659dbac994ffb2558b432cc426cdd8b43617dcb2c4d07
MD5 hash:
7c9fc54dac40ff2c4ca2dcd3ce6aad45
SHA1 hash:
24426b47734a43240cb278f726803d3f77298db6
Link:
https://www.unpac.me/results/18f8b05e-45f1-4949-9bf2-2ae9d1d0d010/
SH256 hash:
77998c0b5b33058820aabeb2c59dfb472d907f733dcb19e20365f76bd2fdab25
MD5 hash:
a2d5153e22d929a7b8016020642ae4c0
SHA1 hash:
83d747bdcddf36b6a77300e557a3896940e301c4
Link:
https://www.unpac.me/results/18f8b05e-45f1-4949-9bf2-2ae9d1d0d010/
SH256 hash:
9e918369bbdee57f4c3c29b2b5ef1935d00d46474bbe5176910cc08cd34fd370
MD5 hash:
1f1bb2702e0fee67ed8ead628d07e1f3
SHA1 hash:
717f2ef88a637d84a6e86920d1ca6a88ae456e40
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/18f8b05e-45f1-4949-9bf2-2ae9d1d0d010/
Parent samples :
7612746d01cffc33f8f613b57bf35822aad22277ca6c071efe990dadd2fbc853
776233fa1eb951f0d8ea2d27b0da36048e6a17e1dabac5714074152ae68b8958
7d0f884df7b5cb377f196e56b59689a99e3e43637b7cda4e9482e31c74a625f3
1c5eb1ef71716f2a7498f3d8ee6d7aa936dac7cf4c4b920ec2c4ea8c90511824
SH256 hash:
776233fa1eb951f0d8ea2d27b0da36048e6a17e1dabac5714074152ae68b8958
MD5 hash:
1758bcfd90c89363006dd14849916afc
SHA1 hash:
5f4571ab816dd3a821813506a71634a241fe9851
Link:
https://www.unpac.me/results/18f8b05e-45f1-4949-9bf2-2ae9d1d0d010/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/776233fa1eb951f0d8ea2d27b0da36048e6a17e1dabac5714074152ae68b8958

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 776233fa1eb951f0d8ea2d27b0da36048e6a17e1dabac5714074152ae68b8958

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2046523/
Cape
Cape
https://www.capesandbox.com/analysis/242364/

Comments


Avatar
zbet commented on 2022-02-17 18:23:01 UTC

url : hxxp://180.214.239.216/Explorer10/csrss.exe